Primary

Context

Django Session Fixation Vulnerability via Cached Public Pages

Vulnerability

Patched

A session fixation vulnerability has been identified in Django versions 6.0 prior to 6.0.5 and 5.2 prior to 5.2.14. The issue arises when the `SESSION_SAVE_EVERY_REQUEST` setting is enabled, as response headers do not change on cookies if a session remains unaltered. This allows remote attackers to steal user sessions after they have visited a cached public page. Additionally, earlier unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.

Impact

Exploitation of this vulnerability allows for session fixation, where an attacker can hijack a user's session.

Remediation

Users can upgrade to Django 6.0.5 or 5.2.14 to address this vulnerability.

Added: May 5, 2026, 4:59 PM

Updated: May 5, 2026, 4:59 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.0

exploitability

6.5

remediation

7.7

relevance

7.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.0

exploitability

6.5

remediation

7.7

relevance

7.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Django Session Fixation Vulnerability via Cached Public Pages

Vulnerability

Impact

Remediation

Affected Products

Django

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating