CVE-2026-6907: Django Uses Cache Containing Sensitive Information

May 5, 2026 (updated May 8, 2026)

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ('*'). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Ahmad Sadeddin for reporting this issue.

References

docs.djangoproject.com/en/dev/releases/security
github.com/advisories/GHSA-5hrc-gvxj-w55p
github.com/django/django
groups.google.com/g/django-announce
nvd.nist.gov/vuln/detail/CVE-2026-6907
www.djangoproject.com/weblog/2026/may/05/security-releases

Code Behaviors & Features

Detect and mitigate CVE-2026-6907 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →