Primary

Context

Django Whitespace Vary Header Caching Vulnerability

Vulnerability

Patched

A vulnerability exists in Django versions 5.2 prior to 5.2.15 and 6.0 prior to 6.0.6, where the `django.utils.cache.has_vary_header()` function does not remove leading or trailing whitespace from `Vary` header values before making comparisons. This oversight allows remote attackers to access cached responses by sending requests to URLs with whitespace-padded `Vary` header values. Earlier, unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected but were not evaluated.

Impact

Exploitation of this vulnerability could lead to unintended exposure of cached private data.

Remediation

Users can upgrade to Django versions 5.2.15 or 6.0.6 to address this vulnerability.

Added: Jun 3, 2026, 2:33 PM

Updated: Jun 3, 2026, 2:33 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

7.6

remediation

7.7

relevance

9.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

7.6

remediation

7.7

relevance

9.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Django Whitespace Vary Header Caching Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Django

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating