CVE-2026-8404

LOW

Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

Title source: cna
STIX 2.1

Description

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.

References (3)

Core 3
Core References
Vendor Advisory vendor-advisory
Django security archive
https://docs.djangoproject.com/en/dev/releases/security/
Mailing List mailing-list
Django releases announcements
https://groups.google.com/g/django-announce
Vendor Advisory vendor-advisory
Django security releases issued: 6.0.6 and 5.2.15
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

Scores

CVSS v3 3.1
EPSS 0.0030
EPSS Percentile 21.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-178
Status published
Products (5)
djangoproject/Django 5.2 - 5.2.15
djangoproject/django 5.2 - 5.2.15
djangoproject/Django 5.2.15
djangoproject/Django 6.0 - 6.0.6
djangoproject/Django 6.0.6
Published Jun 03, 2026
Tracked Since Jun 03, 2026