CVE-2026-35192: Django Uses Persistent Cookies Containing Sensitive Information

May 5, 2026 (updated May 8, 2026)

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can steal a user’s session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Cantina for reporting this issue.

References

docs.djangoproject.com/en/dev/releases/security
github.com/advisories/GHSA-7h2m-m8vj-598h
github.com/django/django
groups.google.com/g/django-announce
nvd.nist.gov/vuln/detail/CVE-2026-35192
www.djangoproject.com/weblog/2026/may/05/security-releases

Code Behaviors & Features

Detect and mitigate CVE-2026-35192 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →