An issue was discovered in Django 5.2 before 5.2.15 and 6...
Low severity
Unreviewed
Published
Jun 3, 2026
to the GitHub Advisory Database
•
Updated Jun 3, 2026
Description
Published by the National Vulnerability Database
Jun 3, 2026
Published to the GitHub Advisory Database
Jun 3, 2026
Last updated
Jun 3, 2026
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
django.middleware.cache.UpdateCacheMiddlewarein Django does not matchCache-Controlresponse directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because theirCache-Controldirectives used uppercase or mixed-case values.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmed Badawe for reporting this issue.
References