Primary

Context

Django UpdateCacheMiddleware Authorization Header Vary Response Header Vulnerability

Vulnerability

Patched

A vulnerability exists in Django's UpdateCacheMiddleware component, specifically in versions 5.2 prior to 5.2.15 and 6.0 prior to 6.0.6. The issue arises because the middleware fails to include the 'Authorization' header in the 'Vary' response header for requests that contain the 'Authorization' header but lack 'Cache-Control: public'. This oversight allows remote attackers to access private cached responses through unauthenticated requests to the same URL. Additionally, earlier unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private data by allowing unauthenticated users to read private cached responses that should not be accessible to them.

Remediation

Users can upgrade to Django versions 6.0.6 or 5.2.15 to address this vulnerability.

Added: Jun 3, 2026, 2:40 PM

Updated: Jun 3, 2026, 2:40 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

7.2

remediation

7.7

relevance

9.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

7.2

remediation

7.7

relevance

9.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Django UpdateCacheMiddleware Authorization Header Vary Response Header Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Django

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating