Django 6.0/5.2: UpdateCacheMiddleware Cookie Leak (6.0.7/5.2.16)
CVE-2026-48588 Published on July 7, 2026
Potential exposure of private data via cached Set-Cookie response
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.
`UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Chris Whyland for reporting this issue.
Timeline
Initial report received.
Vulnerability confirmed. 5 days later.
Security release issued. 47 days later.
Weakness Type
Use of Cache Containing Sensitive Information
The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.
Products Associated with CVE-2026-48588
Want to know whenever a new CVE is published for Django Project Django? stack.watch will email you.
Affected Versions
djangoproject Django:- Version 6.0 and below 6.0.7 is affected.
- Version 6.0.7 is unaffected.
- Version 5.2 and below 5.2.16 is affected.
- Version 5.2.16 is unaffected.