CVE-2026-8404

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.djangoproject.com/en/dev/releases/security/	Patch Vendor Advisory
https://groups.google.com/g/django-announce	Release Notes
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:djangoproject:django::::::::
	cpe:2.3:a:djangoproject:django::::::::

History

05 Jun 2026, 12:38

Type	Values Removed	Values Added
References	~~() https://docs.djangoproject.com/en/dev/releases/security/ -~~	() https://docs.djangoproject.com/en/dev/releases/security/ - Patch, Vendor Advisory
References	~~() https://groups.google.com/g/django-announce -~~	() https://groups.google.com/g/django-announce - Release Notes
References	~~() https://www.djangoproject.com/weblog/2026/jun/03/security-releases/ -~~	() https://www.djangoproject.com/weblog/2026/jun/03/security-releases/ - Patch, Vendor Advisory
CPE		cpe:2.3:a:djangoproject:django::::::::
First Time		Djangoproject Djangoproject django

03 Jun 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-03 14:16

Updated : 2026-06-17 11:03

NVD link : CVE-2026-8404

Mitre link : CVE-2026-8404

CVE.ORG link : CVE-2026-8404

JSON object : View

Products Affected

djangoproject

django

CWE

CWE-178

Improper Handling of Case Sensitivity

{"id": "CVE-2026-8404", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-8404", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-03T15:46:33.911128Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "affectedData": [{"repo": "https://github.com/django/django/", "vendor": "djangoproject", "product": "Django", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.0.6", "versionType": "python"}, {"status": "unaffected", "version": "6.0.6", "versionType": "python"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.15", "versionType": "python"}, {"status": "unaffected", "version": "5.2.15", "versionType": "python"}], "packageName": "django", "collectionURL": "https://pypi.org/project/Django/", "defaultStatus": "unaffected"}]}], "published": "2026-06-03T14:16:47.650", "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "tags": ["Patch", "Vendor Advisory"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}, {"url": "https://groups.google.com/g/django-announce", "tags": ["Release Notes"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}, {"url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/", "tags": ["Patch", "Vendor Advisory"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "description": [{"lang": "en", "value": "CWE-178"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmed Badawe for reporting this issue."}], "lastModified": "2026-06-17T11:03:53.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "048C450F-F81F-4A1D-9BF7-DC36FF26988E", "versionEndExcluding": "5.2.15", "versionStartIncluding": "5.2"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC9BA685-D9CE-406E-A479-9C444E8EADB3", "versionEndExcluding": "6.0.6", "versionStartIncluding": "6.0"}], "operator": "OR"}]}], "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}