Django 6.0/5.2: UpdateCacheMiddleware Cookie Leak (6.0.7/5.2.16)
CVE-2026-48588 Published on July 7, 2026

Potential exposure of private data via cached Set-Cookie response
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Chris Whyland for reporting this issue.

Vendor Advisory Vendor Advisory NVD

Timeline

Initial report received.

Vulnerability confirmed. 5 days later.

Security release issued. 47 days later.

Weakness Type

Use of Cache Containing Sensitive Information

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.


Products Associated with CVE-2026-48588

Want to know whenever a new CVE is published for Django Project Django? stack.watch will email you.

 

Affected Versions

djangoproject Django: