CVE-2026-35193

Published: Giu 03, 2026 Last Modified: Giu 05, 2026
ExploitDB:
Other exploit source:
Google Dorks:
LOW 2,3
Source: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: passive
Confidentiality: N/A
Integrity: N/A
Availability: N/A
LOW 3,1
Source: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: low
Integrity: none
Availability: none

Description

AI Translation Available

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Shai Berger for reporting this issue.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0004
Percentile
0,1th
Updated

EPSS Score Trend (Last 6 Days)

524

Use of Cache Containing Sensitive Information

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Application Data
Applicable Platforms
All platforms may be affected
View CWE Details
Application

Django by Djangoproject

Product Information
Vendor Djangoproject
Product Django
Version Range Affected
From 5.2 (inclusive)
To 5.2.15 (exclusive)
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Django by Djangoproject

Product Information
Vendor Djangoproject
Product Django
Version Range Affected
From 6.0 (inclusive)
To 6.0.6 (exclusive)
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://docs.djangoproject.com/en/dev/releases/security/
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2026/jun/03/security-r…
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/