· Custom Software Development · 7 min read

Django Security Alert: June 2026 Cache Vulnerabilities

Django 6.0.6 and 5.2.15 patch five cache vulnerabilities, including CVE-2026-35193, which could serve private data to unauthenticated users. Here is what to do.

Django 6.0.6 and 5.2.15 patch five cache vulnerabilities, including CVE-2026-35193, which could serve private data to unauthenticated users. Here is what to do.

TL;DR: On 3 June 2026, Django released versions 6.0.6 and 5.2.15 to patch five security flaws. The most critical, CVE-2026-35193, allows cached authenticated responses to be served to unauthenticated users. Upgrade immediately if you are on any affected branch.

Introduction

The threat is straightforward and the stakes are not: a misconfigured caching layer can silently hand a stranger the authenticated response that was meant for your logged-in user. That is precisely what Django’s June 2026 security release addresses. On 3 June 2026, the Django project published patches for versions 6.0.6 and 5.2.15, resolving five distinct vulnerabilities — all centred on the way Django’s caching middleware handles HTTP headers.

For teams running production SaaS products, internal tools, or any Django application that sits behind a shared cache, these patches are not optional housekeeping. They close real data-exposure paths. The Django team rated all five issues as ‘low’ severity under its own policy, but ‘low’ in Django’s taxonomy still means ‘capable of exposing private data under realistic conditions.’ The patches have been applied to the main development branch (targeting 6.1), the 6.0 branch, and the 5.2 branch — so there is no supported version left unaddressed, and no justification for delay.

This post walks through each CVE in plain terms, shows you what the vulnerable behaviour looks like in code, and tells you exactly what to verify after you upgrade.

What Is the Django Cache Vulnerability Disclosed in June 2026?

The June 2026 Django security release addresses five vulnerabilities in which UpdateCacheMiddleware and related components fail to honour HTTP cache-control semantics correctly. The most significant, CVE-2026-35193, occurs when the middleware omits the Vary: Authorization header from responses to authenticated requests, meaning a downstream cache can store and replay a private response to any subsequent unauthenticated request. The remaining four CVEs cover mixed-case Cache-Control parsing, whitespace-corrupted Vary headers, a STARTTLS downgrade in the SMTP backend, and a signed-cookie salt collision.

CVE-2026-35193: The UpdateCacheMiddleware Authorization Flaw

CVE-2026-35193 is the headline issue. When a Django view returns a response to an authenticated request, UpdateCacheMiddleware is supposed to include Vary: Authorization so that caches key the stored response against the authorisation state of the request. Before the patch, it did not. A shared cache — Varnish, Nginx proxy cache, a CDN — could store the authenticated response and serve it verbatim to the next unauthenticated visitor who hit the same URL.

Consider a typical middleware stack:

# settings.py — a stack that is vulnerable before 6.0.6 / 5.2.15
MIDDLEWARE = [
    'django.middleware.cache.UpdateCacheMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    # ... other middleware ...
    'django.middleware.cache.FetchFromCacheMiddleware',
]

With UpdateCacheMiddleware at the top and authentication middleware below it, the cache layer sees the response before the Authorization context is properly reflected in the Vary header. After upgrading, Django injects Vary: Authorization automatically for any response generated in an authenticated context.

Pro tip: After upgrading, issue a cache-wide purge before returning traffic. Any responses already stored under the old behaviour will persist until their TTL expires or you explicitly invalidate them. For Redis-backed caches, django.core.cache.cache.clear() is the bluntest instrument; for Varnish or CDN caches, use your provider’s purge API.

Teams doing custom software development in Django, Rails and Laravel should treat this as a mandatory audit point: review every view that touches request.user and confirm your cache key strategy accounts for authentication state.

How Did CVE-2026-8404 and CVE-2026-48587 Compound the Risk?

These two CVEs are quieter but compound the exposure surface in ways that are easy to miss during a routine code review.

CVE-2026-8404 exploits the fact that HTTP header parsing is case-insensitive by specification, but Django’s caching middleware was performing a case-sensitive string comparison when checking for Cache-Control: private. A response bearing Cache-Control: Private (capital P) — which is perfectly valid HTTP — would slip past the check and be stored in the cache as though it were a public response.

# Illustrative: what the pre-patch check approximated
if 'private' in response.get('Cache-Control', ''):
    # skip caching
    pass
# 'Private' (capital P) would NOT match, so caching proceeded incorrectly

The fix normalises the header value to lowercase before comparison — a one-line change that closes a class of bugs rather than a single instance.

CVE-2026-48587 is a whitespace problem. If a Vary header contained leading or trailing whitespace — Vary: * rather than Vary: * — the wildcard rule that instructs caches never to store the response was silently ignored. Proxies and CDNs that strip or normalise headers differently from Django’s own parser could behave unpredictably, sometimes caching responses that should never have been stored.

Pro tip: Audit your response headers in staging using curl -I rather than relying solely on browser DevTools. Browser caches apply their own normalisation and can mask whitespace anomalies that a shared cache will not.

CVE-2026-7666 and CVE-2026-6873: The Quieter but Consequential Pair

The remaining two vulnerabilities sit outside the caching subsystem but were bundled into the same release.

CVE-2026-7666 affects the SMTP email backend. When a STARTTLS handshake fails — due to a certificate error, a network interruption, or a misconfigured mail server — Django’s backend did not abort the connection cleanly. Instead, it could proceed to transmit subsequent emails over the partially-initialised, unencrypted connection. For applications that send transactional email containing tokens, invoices, or personal data, this is a meaningful exposure.

# settings.py — ensure you are on a patched version before relying on this
EMAIL_USE_TLS = True
EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
# Pre-patch: a failed STARTTLS could silently downgrade to plaintext
# Post-patch: the backend raises an exception and aborts

CVE-2026-7666 on NVD notes that the fix introduces an explicit exception on handshake failure, so your monitoring should expect SMTPException rather than silent success in misconfigured environments.

CVE-2026-6873 concerns signed cookie salt namespacing. Django uses a salt alongside a secret key to sign cookies, ensuring that a cookie issued for one purpose cannot be replayed in another context. The flaw allowed distinct cookie names and salts to produce identical signatures under certain conditions, meaning a cookie could be accepted in the wrong context — a session fixation vector in applications that use multiple signed cookies for different privilege levels. The Snyk advisory provides additional detail on the collision mechanics.

Pro tip: If your application uses django.core.signing directly — not just session cookies — review your salt strings for uniqueness after upgrading. The patch tightens the namespace derivation, but existing tokens signed under the old scheme will remain valid until they expire naturally.

What This Means for Custom Software Development in 2026

The June 2026 release is a reminder that caching is a security boundary, not merely a performance optimisation. As Django applications grow — adding authentication tiers, CDN layers, and microservice backends — the assumptions baked into middleware defaults can quietly become liabilities.

For growth-stage teams and enterprise SaaS operators alike, the practical lesson is to treat cache invalidation and header hygiene as first-class concerns in your deployment checklist, not afterthoughts. The Django 6.1 beta 1, announced on 24 June 2026, incorporates all five fixes in the main branch, so teams evaluating an upgrade path to 6.1 can proceed with confidence.

For businesses across the Thames Valley — including those seeking website development in Reading — these vulnerabilities underscore why production Django applications benefit from ongoing security review as part of a managed development engagement, rather than a one-time build-and-deploy model.

Key Takeaways

  • Upgrade to Django 6.0.6 or 5.2.15 immediately; all five CVEs are patched in both releases and in the 6.1 development branch.
  • After upgrading, purge your shared cache (Redis, Varnish, CDN) to eliminate any responses stored under the vulnerable middleware behaviour.
  • Audit every view that accesses request.user and confirm your cache key strategy explicitly accounts for authentication state.
  • If you use Django’s SMTP backend with EMAIL_USE_TLS = True, verify your mail server’s TLS configuration so that STARTTLS failures now surface as exceptions rather than silent downgrades.
  • Review all signed cookie salts for uniqueness if your application uses django.core.signing directly with multiple cookie contexts.

Conclusion

Five CVEs in a single release is unusual for Django, and the concentration of flaws in the caching subsystem warrants a careful post-upgrade audit rather than a simple pip install --upgrade. The good news is that the fixes are clean, the upgrade path is well-documented, and the Django team’s transparency throughout the disclosure process gives teams everything they need to act decisively. If your organisation needs a structured security review or is building a new Django application from the ground up, Zorinto’s team specialising in production-grade Django, Rails and Laravel development can help you get the architecture right before caching assumptions become vulnerabilities.

Back to Blog

Related Posts

View All Posts »
Custom Software Development Process: Complete Guide

Custom Software Development Process: Complete Guide

Explore the intricate world of custom software development with Zorinto. This guide provides a comprehensive overview from initial concept to deployment, highlighting unique processes and real-world applications for UK businesses.

Dec 3, 2025
Custom Software Development
Business Automation ROI for UK SMEs in 2026

Business Automation ROI for UK SMEs in 2026

UK SMEs spend thousands on manual admin each year. Here are the real costs, savings, and payback periods to help you decide if automation is worth it.

Jul 10, 2026
Business Automation (n8n)