CVE-2026-35192
LowSummary
An issue was discovered in versions 6.0 before 6.0.5 and 5.2 before 5.2.14 regarding response headers that do not vary on cookies if a session is not modified, while `SESSION_SAVE_EVERY_REQUEST` is set to `True`. A remote attacker can steal a user's session after that user visits a cached public page.
Risk Assessment
The organization is at risk of session theft, which could lead to unauthorized access to user data and resources. An attacker could exploit this vulnerability to take control of user accounts.
Recommendation
It is recommended to upgrade to Django versions 6.0.5 or 5.2.14 to mitigate this vulnerability. Additionally, consider modifying session settings to minimize risk.
Original NVD description (English source)
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django s

