BIT-DJANGO-2026-8404 Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

BIT-DJANGO-2026-35193 Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...

CVE-2026-30246

A flaw was found in github.com/gofiber/fiber/v3. The default key generator in the cache middleware incorrectly uses only the request path, omitting the query string. This allows requests for the same path but with different query parameters to share a cache key, leading to incorrect cached...

CVE-2026-8404

A flaw was found in Django. The django.middleware.cache.UpdateCacheMiddleware component does not correctly process Cache-Control response directives when they use uppercase or mixed-case values. This vulnerability allows a remote attacker to read responses that should not have been cached, leadin...

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to improper handling of Cache-Control directives in UpdateCacheMiddleware. An attacker can gain unauthorized access to sensitive response data by sending requests with uppercase or mixed-case...

PYSEC-2026-201

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

PYSEC-2026-201

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

PYSEC-2026-197

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...

PYSEC-2026-197

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...

CVE-2026-35193 Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...

CVE-2026-8404 Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

CVE-2026-8404

Django 5.2 before 5.2.15 and 6.0 before 6.0.6 contains a vulnerability in django.middleware.cache.UpdateCacheMiddleware where Cache-Control directives are not matched case-insensitively, allowing remote attackers to read cached responses. Older series (5.0.x, 4.1.x, 3.2.x) may also be affected. A...

CVE-2026-8404 Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

EUVD-2026-34088

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

UBUNTU-CVE-2026-35193

Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware...

UBUNTU-CVE-2026-8404

Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware...

PT-2026-45949

Name of the Vulnerable Software and Affected Versions Django versions prior to 5.2.15 Django versions prior to 6.0.6 Description An issue exists in django.middleware.cache.UpdateCacheMiddleware where Cache-Control response directives are not matched case-insensitively. This allows remote attacker...

PT-2026-45938

Name of the Vulnerable Software and Affected Versions Django versions prior to 5.2.15 Django versions prior to 6.0.6 Description An issue exists in django.middleware.cache.UpdateCacheMiddleware where the Authorization header is not added to the Vary response header for requests that include that...

CVE-2026-44457

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be...

Fedora 42 : python-django5 (2026-b9548393aa)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-b9548393aa advisory. - Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass - Fixes CVE-2026-35192: Session...