NewsSecurityWeb DevelopmentPython

Django Patches Cache Poisoning Flaw: Upgrade to 6.0.7 or 5.2.16 Now

Django security vulnerability CVE-2026-48588 cache poisoning flaw patch illustration
Django 6.0.7 and 5.2.16 patch a cache middleware cookie poisoning vulnerability

Django issued security releases for versions 6.0.7 and 5.2.16 on July 7, patching three CVEs — the most consequential of which allows session cookies to leak into a shared cache when a request already carries an unrelated cookie. If your Django app uses cache middleware alongside session middleware, this one needs your attention today.

The Bug That Slipped Through

UpdateCacheMiddleware has always included logic to avoid caching responses that set cookies. The intent is sound: you don’t want a newly-issued session token getting stored in Redis or Memcached and then served to the next user who hits the same URL.

The flaw was in the condition check. The guard only engaged when the incoming request had no cookies at all. The moment a user’s browser sent any existing cookie — a language preference, an A/B test flag, a theme selection — the check short-circuited and caching proceeded. The response, Set-Cookie header and all, went into the shared cache.

The fix, backported across the 5.2, 6.0, and 6.1 branches, expands the condition: the guard now triggers whenever a response sets a cookie and varies on Cookie, regardless of what the incoming request carried. It’s the logic that should have been there from the start.

What an Exploit Looks Like

Picture a Django app with both UpdateCacheMiddleware and SessionMiddleware active. A user visits your login page. Their browser sends along a django_language=en cookie. They authenticate, Django creates a session, and the response includes Set-Cookie: sessionid=abc123 with Vary: Cookie. Unpatched Django caches that response.

The next user to request the same URL gets the cached version — complete with the first user’s session cookie in the response headers. Whether that results in session takeover depends on browser behavior and downstream caching layers, but you’ve already lost control of the session token. That’s the scenario you want to avoid entirely.

Check Your Configuration

Not every Django app is affected. Direct use of the cache API (cache.set(), cache.get()) is not in scope — this bug lives specifically in the middleware and decorator path. Check your settings.py:

MIDDLEWARE = [
    'django.middleware.cache.UpdateCacheMiddleware',   # if this is present...
    # ...
    'django.contrib.sessions.middleware.SessionMiddleware',  # ...and this is too
    # ...
    'django.middleware.cache.FetchFromCacheMiddleware',
]

Also check for views using the @cache_page() decorator — it routes through the same middleware logic under the hood. If either pattern exists in your codebase, treat the upgrade as urgent.

Upgrade Now

# Django 6.x
pip install "Django>=6.0.7"

# Django 5.2.x LTS
pip install "Django>=5.2.16"

Django 5.2 is the current long-term support release, maintained through April 2028. Both branches receive this patch. After upgrading, restart your application and verify your cache backend is flushed — stale cached responses from the vulnerable version may still be in your cache store.

The Other Two CVEs

The July 7 release bundles two additional low-severity fixes.

CVE-2026-53878 affects DomainNameValidator, which accepted newline characters in domain names. Used directly with untrusted input, this opened the door to HTTP response splitting. Standard Django form fields (which strip newlines via CharField) were not at risk, and HttpResponse itself blocks header newlines — so core Django usage was safe. Custom code invoking the validator directly with raw user input was the exposure.

CVE-2026-53877 is limited to django.contrib.gis. When GDALRaster was instantiated with a bytes object, it used sys.getsizeof() rather than len() to calculate buffer size — an off-by-~32-bytes mistake that could expose adjacent heap memory or trigger a segfault in edge cases. If you’re not using Django’s GIS module, this doesn’t apply to you. Both low-severity issues were reported by Bence Nagy.

The Pattern Worth Noting

This is Django’s fourth security release of 2026, following patches in February, April, and June. The cache middleware has now been patched twice this year — CVE-2026-6907 in May addressed a separate issue where responses with Vary: * were being cached incorrectly. If you’re running cache middleware in production, keep Django pinned to the latest patch version and treat this component with extra scrutiny.

The full announcement and changelog are on the Django project weblog. The cache framework documentation is worth revisiting if you rely on view-level caching — middleware ordering has more security implications than the docs have historically made obvious. For CVE details, see the Django 6.0.7 release notes.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News