Fluid Attacks Database

Description

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.has_vary_header() in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	python-django	=2:2.2.24-1 \|\| =2:2.2.25-1~deb11u1 \|\| =2:2.2.26-1~deb11u1 \|\| =2:2.2.28-1~deb11u1 \|\| =2:2.2.28-1~deb11u10 \|\| =2:2.2.28-1~deb11u11 \|\| =2:2.2.28-1~deb11u12 \|\| =2:2.2.28-1~deb11u2 \|\| =2:2.2.28-1~deb11u3 \|\| =2:2.2.28-1~deb11u4 \|\| =2:2.2.28-1~deb11u5 \|\| =2:2.2.28-1~deb11u6 \|\| =2:2.2.28-1~deb11u7 \|\| =2:2.2.28-1~deb11u8 \|\| =2:2.2.28-1~deb11u9 \|\| =2:3.0-1 \|\| =2:3.0.1-1 \|\| =2:3.0.2-1 \|\| =2:3.0.4-1 \|\| =2:3.0.5-1 \|\| =2:3.0.6-1 \|\| =2:3.0.7-1 \|\| =2:3.0.7-2 \|\| =2:3.0~alpha1-1 \|\| =2:3.0~beta1-1 \|\| =2:3.0~rc1-1 \|\| =2:3.1-1 \|\| =2:3.1-2 \|\| =2:3.1.1-1 \|\| =2:3.1.2-1 \|\| =2:3.1.3-1 \|\| =2:3.1.4-1 \|\| =2:3.1.5-1 \|\| =2:3.1~beta1-1 \|\| =2:3.1~rc1-1 \|\| =2:3.2-1 \|\| =2:3.2.1-1 \|\| =2:3.2.10-1 \|\| =2:3.2.10-2 \|\| =2:3.2.10-2~bpo11+1 \|\| =2:3.2.10-2~bpo11+2 \|\| =2:3.2.11-1 \|\| =2:3.2.11-2 \|\| =2:3.2.12-1 \|\| =2:3.2.12-1~bpo11+1 \|\| =2:3.2.12-2 \|\| =2:3.2.13-1 \|\| =2:3.2.2-1 \|\| =2:3.2.3-1 \|\| =2:3.2.4-1 \|\| =2:3.2.5-1 \|\| =2:3.2.5-2 \|\| =2:3.2.6-1 \|\| =2:3.2.7-1 \|\| =2:3.2.7-2 \|\| =2:3.2.7-3 \|\| =2:3.2.7-4 \|\| =2:3.2.8-1 \|\| =2:3.2.9-1 \|\| =2:3.2.9-2 \|\| =2:3.2.9-2~bpo11+1 \|\| =2:3.2~alpha1-1 \|\| =2:3.2~alpha1-2 \|\| =2:3.2~beta1-1 \|\| =2:3.2~rc1-1 \|\| =2:4.0-1 \|\| =2:4.0.1-1 \|\| =2:4.0.1-2 \|\| =2:4.0.2-1 \|\| =2:4.0.3-1 \|\| =2:4.0.4-1 \|\| =2:4.0.5-1 \|\| =2:4.0.5-2 \|\| =2:4.0.6-1 \|\| =2:4.0~alpha1-1 \|\| =2:4.0~beta1-1 \|\| =2:4.0~rc1-1 \|\| =2:4.1~alpha1-1 \|\| =2:4.1~beta1-1 \|\| =2:4.1~rc1-1 \|\| =3:3.2.14-1 \|\| =3:3.2.15-1 \|\| =3:3.2.16-1 \|\| =3:3.2.16-2 \|\| =3:3.2.17-1 \|\| =3:3.2.18-1 \|\| =3:3.2.19-1 \|\| =3:3.2.20-1 \|\| =3:3.2.20-1.1 \|\| =3:3.2.21-1 \|\| =3:4.1-1 \|\| =3:4.1.1-1 \|\| =3:4.1.2-1 \|\| =3:4.1.3-1 \|\| =3:4.1.4-1 \|\| =3:4.1.5-1 \|\| =3:4.2-1 \|\| =3:4.2.1-1 \|\| =3:4.2.10-1 \|\| =3:4.2.11-1 \|\| =3:4.2.13-1 \|\| =3:4.2.14-1 \|\| =3:4.2.15-1 \|\| =3:4.2.15-1~bpo12+1 \|\| =3:4.2.16-1 \|\| =3:4.2.17-1 \|\| =3:4.2.17-2 \|\| =3:4.2.18-1 \|\| =3:4.2.18-1~bpo12+1 \|\| =3:4.2.19-1 \|\| =3:4.2.19-1~bpo12+1 \|\| =3:4.2.2-1 \|\| =3:4.2.20-1 \|\| =3:4.2.20-1~bpo12+1 \|\| =3:4.2.21-1 \|\| =3:4.2.21-1~bpo12+1 \|\| =3:4.2.22-1 \|\| =3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| =3:4.2.28-1 \|\| =3:4.2.29-1 \|\| =3:4.2.3-1 \|\| =3:4.2.30-1 \|\| =3:4.2.4-1 \|\| =3:4.2.5-1 \|\| =3:4.2.5-2 \|\| =3:4.2.6-1 \|\| =3:4.2.8-1 \|\| =3:4.2.9-1 \|\| =3:4.2~alpha1-1 \|\| =3:4.2~beta1-1 \|\| =3:4.2~rc1-1 \|\| =3:5.0-1 \|\| =3:5.0.1-1 \|\| =3:5.0.2-1 \|\| =3:5.0.3-1 \|\| =3:5.0.4-1 \|\| =3:5.0.6-1 \|\| =3:5.0~alpha1-1 \|\| =3:5.0~rc1-1 \|\| =3:5.1-1 \|\| =3:5.1.1-1 \|\| =3:5.1.2-1 \|\| =3:5.1.3-1 \|\| =3:5.1.4-1 \|\| =3:5.1.5-1 \|\| =3:5.1~alpha1-1 \|\| =3:5.1~beta1-1 \|\| =3:5.1~rc1-1 \|\| =3:5.2-1 \|\| =3:5.2.1-1 \|\| =3:5.2.13-1 \|\| =3:5.2.14-1 \|\| =3:5.2.14-2 \|\| =3:5.2.15-1 \|\| =3:5.2.2-1 \|\| =3:5.2.3-1 \|\| =3:5.2.4-1 \|\| =3:5.2.5-1 \|\| =3:5.2.6-1 \|\| =3:5.2~alpha1-1 \|\| =3:5.2~beta1-1 \|\| =3:5.2~rc1-1 \|\| =3:6.0-1 \|\| =3:6.0.1-1 \|\| =3:6.0.2-1 \|\| =3:6.0.3-1 \|\| =3:6.0.4-1 \|\| =3:6.0.5-1 \|\| =3:6.0.6-1 \|\| =3:6.0~alpha1-1 \|\| =3:6.0~beta1-1 \|\| =3:6.0~rc1-1
debian 12	python-django	=3:3.2.19-1 \|\| =3:3.2.19-1+deb12u1 \|\| =3:3.2.19-1+deb12u1~bpo11+1 \|\| =3:3.2.19-1+deb12u2 \|\| =3:3.2.20-1 \|\| =3:3.2.20-1.1 \|\| =3:3.2.21-1 \|\| =3:3.2.25-0+deb12u1 \|\| =3:3.2.25-0+deb12u2 \|\| =3:3.2.25-0+deb12u3 \|\| =3:4.1-1 \|\| =3:4.1.1-1 \|\| =3:4.1.2-1 \|\| =3:4.1.3-1 \|\| =3:4.1.4-1 \|\| =3:4.1.5-1 \|\| =3:4.2-1 \|\| =3:4.2.1-1 \|\| =3:4.2.10-1 \|\| =3:4.2.11-1 \|\| =3:4.2.13-1 \|\| =3:4.2.14-1 \|\| =3:4.2.15-1 \|\| =3:4.2.15-1~bpo12+1 \|\| =3:4.2.16-1 \|\| =3:4.2.17-1 \|\| =3:4.2.17-2 \|\| =3:4.2.18-1 \|\| =3:4.2.18-1~bpo12+1 \|\| =3:4.2.19-1 \|\| =3:4.2.19-1~bpo12+1 \|\| =3:4.2.2-1 \|\| =3:4.2.20-1 \|\| =3:4.2.20-1~bpo12+1 \|\| =3:4.2.21-1 \|\| =3:4.2.21-1~bpo12+1 \|\| =3:4.2.22-1 \|\| =3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| =3:4.2.28-1 \|\| =3:4.2.29-1 \|\| =3:4.2.3-1 \|\| =3:4.2.30-1 \|\| =3:4.2.4-1 \|\| =3:4.2.5-1 \|\| =3:4.2.5-2 \|\| =3:4.2.6-1 \|\| =3:4.2.8-1 \|\| =3:4.2.9-1 \|\| =3:4.2~alpha1-1 \|\| =3:4.2~beta1-1 \|\| =3:4.2~rc1-1 \|\| =3:5.0-1 \|\| =3:5.0.1-1 \|\| =3:5.0.2-1 \|\| =3:5.0.3-1 \|\| =3:5.0.4-1 \|\| =3:5.0.6-1 \|\| =3:5.0~alpha1-1 \|\| =3:5.0~rc1-1 \|\| =3:5.1-1 \|\| =3:5.1.1-1 \|\| =3:5.1.2-1 \|\| =3:5.1.3-1 \|\| =3:5.1.4-1 \|\| =3:5.1.5-1 \|\| =3:5.1~alpha1-1 \|\| =3:5.1~beta1-1 \|\| =3:5.1~rc1-1 \|\| =3:5.2-1 \|\| =3:5.2.1-1 \|\| =3:5.2.13-1 \|\| =3:5.2.14-1 \|\| =3:5.2.14-2 \|\| =3:5.2.15-1 \|\| =3:5.2.2-1 \|\| =3:5.2.3-1 \|\| =3:5.2.4-1 \|\| =3:5.2.5-1 \|\| =3:5.2.6-1 \|\| =3:5.2~alpha1-1 \|\| =3:5.2~beta1-1 \|\| =3:5.2~rc1-1 \|\| =3:6.0-1 \|\| =3:6.0.1-1 \|\| =3:6.0.2-1 \|\| =3:6.0.3-1 \|\| =3:6.0.4-1 \|\| =3:6.0.5-1 \|\| =3:6.0.6-1 \|\| =3:6.0~alpha1-1 \|\| =3:6.0~beta1-1 \|\| =3:6.0~rc1-1
debian 14	python-django	=3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| =3:4.2.28-1 \|\| =3:4.2.29-1 \|\| =3:4.2.30-1 \|\| =3:5.0-1 \|\| =3:5.0.1-1 \|\| =3:5.0.2-1 \|\| =3:5.0.3-1 \|\| =3:5.0.4-1 \|\| =3:5.0.6-1 \|\| =3:5.0~alpha1-1 \|\| =3:5.0~rc1-1 \|\| =3:5.1-1 \|\| =3:5.1.1-1 \|\| =3:5.1.2-1 \|\| =3:5.1.3-1 \|\| =3:5.1.4-1 \|\| =3:5.1.5-1 \|\| =3:5.1~alpha1-1 \|\| =3:5.1~beta1-1 \|\| =3:5.1~rc1-1 \|\| =3:5.2-1 \|\| =3:5.2.1-1 \|\| =3:5.2.13-1 \|\| =3:5.2.14-1 \|\| =3:5.2.14-2 \|\| =3:5.2.15-1 \|\| =3:5.2.2-1 \|\| =3:5.2.3-1 \|\| =3:5.2.4-1 \|\| =3:5.2.5-1 \|\| =3:5.2.6-1 \|\| =3:5.2~alpha1-1 \|\| =3:5.2~beta1-1 \|\| =3:5.2~rc1-1 \|\| =3:6.0-1 \|\| =3:6.0.1-1 \|\| =3:6.0.2-1 \|\| =3:6.0.3-1 \|\| =3:6.0.4-1 \|\| =3:6.0.5-1 \|\| =3:6.0.6-1 \|\| =3:6.0~alpha1-1 \|\| =3:6.0~beta1-1 \|\| =3:6.0~rc1-1
debian 13	python-django	=3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-0+deb13u1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| =3:4.2.28-0+deb13u1 \|\| =3:4.2.28-0+deb13u2 \|\| =3:4.2.28-1 \|\| =3:4.2.29-1 \|\| =3:4.2.30-1 \|\| =3:5.0-1 \|\| =3:5.0.1-1 \|\| =3:5.0.2-1 \|\| =3:5.0.3-1 \|\| =3:5.0.4-1 \|\| =3:5.0.6-1 \|\| =3:5.0~alpha1-1 \|\| =3:5.0~rc1-1 \|\| =3:5.1-1 \|\| =3:5.1.1-1 \|\| =3:5.1.2-1 \|\| =3:5.1.3-1 \|\| =3:5.1.4-1 \|\| =3:5.1.5-1 \|\| =3:5.1~alpha1-1 \|\| =3:5.1~beta1-1 \|\| =3:5.1~rc1-1 \|\| =3:5.2-1 \|\| =3:5.2.1-1 \|\| =3:5.2.13-1 \|\| =3:5.2.14-1 \|\| =3:5.2.14-2 \|\| =3:5.2.15-1 \|\| =3:5.2.2-1 \|\| =3:5.2.3-1 \|\| =3:5.2.4-1 \|\| =3:5.2.5-1 \|\| =3:5.2.6-1 \|\| =3:5.2~alpha1-1 \|\| =3:5.2~beta1-1 \|\| =3:5.2~rc1-1 \|\| =3:6.0-1 \|\| =3:6.0.1-1 \|\| =3:6.0.2-1 \|\| =3:6.0.3-1 \|\| =3:6.0.4-1 \|\| =3:6.0.5-1 \|\| =3:6.0.6-1 \|\| =3:6.0~alpha1-1 \|\| =3:6.0~beta1-1 \|\| =3:6.0~rc1-1

Aliases

1. CVE-2026-485872. NVD-2026-485873. OSV-DEBIAN-2026-485874. OSV-2026-485875. SECURITY-TRACKER-CVE-2026-48587