CVE-2026-6907
LowSummary
An issue was discovered in versions 6.0 before 6.0.5 and 5.2 before 5.2.14 in `django.middleware.cache.UpdateCacheMiddleware`, which erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.
Risk Assessment
Organizations may expose themselves to the risk of leaking private data, which can lead to user privacy violations and potential legal consequences.
Recommendation
It is recommended to upgrade to Django versions 6.0.5 or 5.2.14 to mitigate this vulnerability and to review and secure cached data.
Original NVD description (English source)
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0

