{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6907", "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "state": "PUBLISHED", "assignerShortName": "DSF", "dateReserved": "2026-04-23T11:19:30.877Z", "datePublished": "2026-05-05T14:50:02.594Z", "dateUpdated": "2026-05-06T15:25:33.698Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "shortName": "DSF", "dateUpdated": "2026-05-05T14:50:02.594Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-524", "description": "CWE-524: Use of Cache Containing Sensitive Information", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-204", "descriptions": [{"lang": "en", "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"}]}], "title": "Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware", "metrics": [{"other": {"content": {"value": "low", "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels"}, "type": "Django severity rating"}}, {"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}, {"cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "baseScore": 2.3, "baseSeverity": "LOW"}}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.</p><p>`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`&#x27;*&#x27;`). This can lead to private data being stored and served.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank Ahmad Sadeddin for reporting this issue.</p>"}]}], "affected": [{"collectionURL": "https://pypi.org/project/Django/", "defaultStatus": "unaffected", "packageName": "django", "product": "Django", "repo": "https://github.com/django/django/", "vendor": "djangoproject", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.0.5", "versionType": "python"}, {"status": "unaffected", "version": "6.0.5", "versionType": "python"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.14", "versionType": "python"}, {"status": "unaffected", "version": "5.2.14", "versionType": "python"}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "name": "Django security archive", "tags": ["vendor-advisory"]}, {"url": "https://groups.google.com/g/django-announce", "name": "Django releases announcements", "tags": ["mailing-list"]}, {"url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/", "name": "Django security releases issued: 6.0.5 and 5.2.14", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "type": "reporter", "value": "Ahmad Sadeddin"}, {"lang": "en", "type": "remediation developer", "value": "Sarah Boyce"}, {"lang": "en", "type": "coordinator", "value": "Sarah Boyce"}], "timeline": [{"lang": "en", "time": "2026-03-06T10:17:03.000Z", "value": "Initial report received."}, {"lang": "en", "time": "2026-04-23T10:17:26.000Z", "value": "Vulnerability confirmed."}, {"lang": "en", "time": "2026-05-05T09:00:00.000Z", "value": "Security release issued."}], "datePublic": "2026-05-05T09:00:00.000Z", "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-05T17:03:42.610418Z", "id": "CVE-2026-6907", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-06T15:25:33.698Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6907", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-05T17:03:42.610418Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-05T17:03:49.787Z"}}], "cna": {"title": "Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Ahmad Sadeddin"}, {"lang": "en", "type": "remediation developer", "value": "Sarah Boyce"}, {"lang": "en", "type": "coordinator", "value": "Sarah Boyce"}], "impacts": [{"capecId": "CAPEC-204", "descriptions": [{"lang": "en", "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"}]}], "metrics": [{"other": {"type": "Django severity rating", "content": {"value": "low", "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels"}}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}}, {"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "affected": [{"repo": "https://github.com/django/django/", "vendor": "djangoproject", "product": "Django", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.0.5", "versionType": "python"}, {"status": "unaffected", "version": "6.0.5", "versionType": "python"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.14", "versionType": "python"}, {"status": "unaffected", "version": "5.2.14", "versionType": "python"}], "packageName": "django", "collectionURL": "https://pypi.org/project/Django/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-06T10:17:03.000Z", "value": "Initial report received."}, {"lang": "en", "time": "2026-04-23T10:17:26.000Z", "value": "Vulnerability confirmed."}, {"lang": "en", "time": "2026-05-05T09:00:00.000Z", "value": "Security release issued."}], "datePublic": "2026-05-05T09:00:00.000Z", "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "name": "Django security archive", "tags": ["vendor-advisory"]}, {"url": "https://groups.google.com/g/django-announce", "name": "Django releases announcements", "tags": ["mailing-list"]}, {"url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/", "name": "Django security releases issued: 6.0.5 and 5.2.14", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue.", "supportingMedia": [{"type": "text/html", "value": "<p>An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.</p><p>`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`&#x27;*&#x27;`). This can lead to private data being stored and served.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank Ahmad Sadeddin for reporting this issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-524", "description": "CWE-524: Use of Cache Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "shortName": "DSF", "dateUpdated": "2026-05-05T14:50:02.594Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6907", "state": "PUBLISHED", "dateUpdated": "2026-05-06T15:25:33.698Z", "dateReserved": "2026-04-23T11:19:30.877Z", "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "datePublished": "2026-05-05T14:50:02.594Z", "assignerShortName": "DSF"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AD5B44B-7569-458C-8F44-3021D9CC577C", "versionEndExcluding": "5.2.14", "versionStartIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "30ADB5F4-66B5-4015-BB55-CCB31106AB95", "versionEndExcluding": "6.0.5", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue."}], "id": "CVE-2026-6907", "lastModified": "2026-05-07T14:16:04.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary"}]}, "published": "2026-05-05T16:16:18.227", "references": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Vendor Advisory"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Third Party Advisory"], "url": "https://groups.google.com/g/django-announce"}, {"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/"}], "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-524"}], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary"}]}

{"bugzilla": {"description": "django: Django: Information Disclosure via erroneous caching of Vary header with asterisk", "id": "2466771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466771"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-524", "details": ["A flaw was found in Django. The `django.middleware.cache.UpdateCacheMiddleware` component incorrectly caches web requests when the `Vary` header contains an asterisk ('*'). This error can lead to sensitive private data being stored in the cache and subsequently served to unauthorized users, resulting in information disclosure."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, disable the `django.middleware.cache.UpdateCacheMiddleware` in your Django application's `settings.py` file by removing it from the `MIDDLEWARE` list. This action prevents the erroneous caching of requests with an asterisk in the `Vary` header, thereby eliminating the information disclosure vulnerability. Be aware that disabling this middleware will also deactivate Django's built-in caching functionality, which may affect application performance and behavior. A restart of the Django application server is required for this change to take effect."}, "name": "CVE-2026-6907", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-25/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/eda-controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/hub-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform/automation-dashboard-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-tech-preview/metrics-service-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:discovery:2::el9", "fix_state": "Fix deferred", "package_name": "discovery/discovery-server-rhel9", "product_name": "Red Hat Discovery 2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite:el8/python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite/iop-advisor-backend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Fix deferred", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2026-05-05T14:50:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6907\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6907\nhttps://docs.djangoproject.com/en/dev/releases/security/\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2026/may/05/security-releases/"], "threat_severity": "Moderate"}