CVE-2026-8404: CWE-178: Improper Handling of Case Sensitivity in djangoproject Django
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.
AI Analysis
Technical Summary
CVE-2026-8404 is a vulnerability in Django's UpdateCacheMiddleware affecting versions 5.2 before 5.2.15 and 6.0 before 6.0.6. The middleware does not perform case-insensitive matching of Cache-Control response directives, leading to improper caching behavior when Cache-Control headers use uppercase or mixed-case values. This can result in unauthorized reading of cached responses that should have been excluded from caching. Earlier unsupported Django versions may also be affected but were not evaluated. The issue is categorized as CWE-178 (Improper Handling of Case Sensitivity).
Potential Impact
The vulnerability allows remote attackers to read cached HTTP responses that were incorrectly cached due to case-sensitive matching of Cache-Control headers. This could lead to unintended information disclosure. The CVSS score is 3.1 (low), indicating limited impact primarily related to confidentiality. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not confirmed in the provided data. Users should consult the official Django security advisory for updates and apply any available patches or updates to versions 5.2.15 or later and 6.0.6 or later. Until patched, review Cache-Control header usage to ensure consistent casing or consider disabling caching middleware if feasible. No vendor advisory content was provided to indicate if no action is required or if the issue is already mitigated.
CVE-2026-8404: CWE-178: Improper Handling of Case Sensitivity in djangoproject Django
Description
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.
CVSS v3.1
Score 3.1low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8404 is a vulnerability in Django's UpdateCacheMiddleware affecting versions 5.2 before 5.2.15 and 6.0 before 6.0.6. The middleware does not perform case-insensitive matching of Cache-Control response directives, leading to improper caching behavior when Cache-Control headers use uppercase or mixed-case values. This can result in unauthorized reading of cached responses that should have been excluded from caching. Earlier unsupported Django versions may also be affected but were not evaluated. The issue is categorized as CWE-178 (Improper Handling of Case Sensitivity).
Potential Impact
The vulnerability allows remote attackers to read cached HTTP responses that were incorrectly cached due to case-sensitive matching of Cache-Control headers. This could lead to unintended information disclosure. The CVSS score is 3.1 (low), indicating limited impact primarily related to confidentiality. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not confirmed in the provided data. Users should consult the official Django security advisory for updates and apply any available patches or updates to versions 5.2.15 or later and 6.0.6 or later. Until patched, review Cache-Control header usage to ensure consistent casing or consider disabling caching middleware if feasible. No vendor advisory content was provided to indicate if no action is required or if the issue is already mitigated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- DSF
- Date Reserved
- 2026-05-12T15:06:18.803Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2037c7e29bf47b50c14ee6
Added to database: 6/3/2026, 2:18:47 PM
Last enriched: 6/3/2026, 2:35:44 PM
Last updated: 6/4/2026, 4:50:57 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.