CVE-2026-48587

Potential exposure of private data via whitespace padding in Vary header

CVSS 2.3 LOWEPSS 0.4%CWE-1023

In short

Django's cache comparison feature doesn't remove spaces from HTTP header values, allowing attackers to bypass cache validation and access responses that should be private. This happens because the comparison logic treats 'Content-Type' and ' Content-Type ' as different values.

Technical detail

CVE-2026-48587 affects Django versions 5.2 before 5.2.15 and 6.0 before 6.0.6 in the `has_vary_header()` function, which fails to normalize whitespace in Vary header values before comparison. An attacker can craft requests with whitespace-padded header values to bypass cache validation and retrieve cached responses intended for different audiences, leading to information disclosure. The vulnerability requires the application to cache responses based on Vary headers without proper normalization.

Summary generated and translated by AI from the official description.

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

djangoproject · Django

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/g/django-announce https://www.djangoproject.com/weblog/2026/jun/03/security-releases/