{"api_version":"1","generated_at":"2026-06-22T23:39:25+00:00","cve":"CVE-2026-35193","urls":{"html":"https://cve.report/CVE-2026-35193","api":"https://cve.report/api/cve/CVE-2026-35193.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-35193","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-35193"},"summary":{"title":"Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware","description":"An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Shai Berger for reporting this issue.","state":"PUBLISHED","assigner":"DSF","published_at":"2026-06-03 14:16:41","updated_at":"2026-06-05 13:03:52"},"problem_types":["CWE-524","CWE-524 CWE-524: Use of Cache Containing Sensitive Information"],"metrics":[{"version":"4.0","source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","type":"Secondary","score":"2.3","severity":"LOW","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"2.3","severity":"LOW","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N","data":{"baseScore":2.3,"baseSeverity":"LOW","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N","version":"4.0"}},{"version":"3.1","source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","type":"Secondary","score":"3.1","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"3.1","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","data":{"baseScore":3.1,"baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://www.djangoproject.com/weblog/2026/jun/03/security-releases/","name":"https://www.djangoproject.com/weblog/2026/jun/03/security-releases/","refsource":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":["Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://groups.google.com/g/django-announce","name":"https://groups.google.com/g/django-announce","refsource":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://docs.djangoproject.com/en/dev/releases/security/","name":"https://docs.djangoproject.com/en/dev/releases/security/","refsource":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":["Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-35193","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35193","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"djangoproject","product":"Django","version":"affected 6.0 6.0.6 python","platforms":[]},{"source":"CNA","vendor":"djangoproject","product":"Django","version":"unaffected 6.0.6 python","platforms":[]},{"source":"CNA","vendor":"djangoproject","product":"Django","version":"affected 5.2 5.2.15 python","platforms":[]},{"source":"CNA","vendor":"djangoproject","product":"Django","version":"unaffected 5.2.15 python","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-03-24T00:00:00.000Z","lang":"en","value":"Initial report received."},{"source":"CNA","time":"2026-04-28T00:00:00.000Z","lang":"en","value":"Vulnerability confirmed."},{"source":"CNA","time":"2026-06-03T08:00:00.000Z","lang":"en","value":"Security release issued."}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Shai Berger","lang":"en"},{"source":"CNA","value":"Jacob Walls","lang":"en"},{"source":"CNA","value":"Natalia Bidart","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"35193","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"djangoproject","cpe5":"django","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"35193","cve":"CVE-2026-35193","epss":"0.000400000","percentile":"0.124740000","score_date":"2026-06-09","updated_at":"2026-06-10 00:13:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-35193","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-03T15:47:08.153480Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-03T15:47:18.140Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://pypi.org/project/Django/","defaultStatus":"unaffected","packageName":"django","product":"Django","repo":"https://github.com/django/django/","vendor":"djangoproject","versions":[{"lessThan":"6.0.6","status":"affected","version":"6.0","versionType":"python"},{"status":"unaffected","version":"6.0.6","versionType":"python"},{"lessThan":"5.2.15","status":"affected","version":"5.2","versionType":"python"},{"status":"unaffected","version":"5.2.15","versionType":"python"}]}],"credits":[{"lang":"en","type":"reporter","value":"Shai Berger"},{"lang":"en","type":"remediation developer","value":"Jacob Walls"},{"lang":"en","type":"coordinator","value":"Natalia Bidart"}],"datePublic":"2026-06-03T08:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.</p><p><code>django.middleware.cache.UpdateCacheMiddleware</code> in Django does not add <code>Authorization</code> to the <code>Vary</code> response header for requests bearing that header without <code>Cache-Control: public</code>, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank Shai Berger for reporting this issue.</p>"}],"value":"An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Shai Berger for reporting this issue."}],"impacts":[{"capecId":"CAPEC-204","descriptions":[{"lang":"en","value":"CAPEC-204: Lifting Sensitive Data Embedded in Cache"}]}],"metrics":[{"other":{"content":{"namespace":"https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels","value":"low"},"type":"Django severity rating"}},{"cvssV3_1":{"baseScore":3.1,"baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"}},{"cvssV4_0":{"baseScore":2.3,"baseSeverity":"LOW","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N","version":"4.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-524","description":"CWE-524: Use of Cache Containing Sensitive Information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-03T13:16:38.456Z","orgId":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","shortName":"DSF"},"references":[{"name":"Django security archive","tags":["vendor-advisory"],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"name":"Django releases announcements","tags":["mailing-list"],"url":"https://groups.google.com/g/django-announce"},{"name":"Django security releases issued: 6.0.6 and 5.2.15","tags":["vendor-advisory"],"url":"https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"}],"source":{"discovery":"INTERNAL"},"timeline":[{"lang":"en","time":"2026-03-24T00:00:00.000Z","value":"Initial report received."},{"lang":"en","time":"2026-04-28T00:00:00.000Z","value":"Vulnerability confirmed."},{"lang":"en","time":"2026-06-03T08:00:00.000Z","value":"Security release issued."}],"title":"Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","assignerShortName":"DSF","cveId":"CVE-2026-35193","datePublished":"2026-06-03T13:16:38.456Z","dateReserved":"2026-04-01T18:21:23.779Z","dateUpdated":"2026-06-03T15:47:18.140Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-03 14:16:41","lastModifiedDate":"2026-06-05 13:03:52","problem_types":["CWE-524","CWE-524 CWE-524: Use of Cache Containing Sensitive Information"],"metrics":{"cvssMetricV40":[{"source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.2.15","matchCriteriaId":"048C450F-F81F-4A1D-9BF7-DC36FF26988E"},{"vulnerable":true,"criteria":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.0.6","matchCriteriaId":"BC9BA685-D9CE-406E-A479-9C444E8EADB3"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"35193","Ordinal":"1","Title":"Potential exposure of private data via missing Vary: Authorizati","CVE":"CVE-2026-35193","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"35193","Ordinal":"1","NoteData":"An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Shai Berger for reporting this issue.","Type":"Description","Title":"Potential exposure of private data via missing Vary: Authorizati"}]}}}