{ "threat_severity" : "Moderate", "public_date" : "2026-05-05T14:50:02Z", "bugzilla" : { "description" : "django: Django: Information Disclosure via erroneous caching of Vary header with asterisk", "id" : "2466771", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2466771" }, "cvss3" : { "cvss3_base_score" : "4.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status" : "draft" }, "cwe" : "CWE-524", "details" : [ "A flaw was found in Django. The `django.middleware.cache.UpdateCacheMiddleware` component incorrectly caches web requests when the `Vary` header contains an asterisk ('*'). This error can lead to sensitive private data being stored in the cache and subsequently served to unauthorized users, resulting in information disclosure." ], "package_state" : [ { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-24/lightspeed-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-25/lightspeed-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-26/controller-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-26/eda-controller-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-26/gateway-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-26/hub-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-26/lightspeed-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform/automation-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform-tech-preview/metrics-service-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "automation-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Discovery 2", "fix_state" : "Fix deferred", "package_name" : "discovery/discovery-server-rhel9", "cpe" : "cpe:/a:redhat:discovery:2::el9" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Fix deferred", "package_name" : "python-django20", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat OpenStack Platform 17.1", "fix_state" : "Fix deferred", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:openstack:17.1" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Fix deferred", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:openstack:18.0" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Fix deferred", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Fix deferred", "package_name" : "satellite:el8/python-django", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Fix deferred", "package_name" : "satellite/iop-advisor-backend-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Update Infrastructure 4 for Cloud Providers", "fix_state" : "Fix deferred", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:rhui:4::el8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-6907\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6907\nhttps://docs.djangoproject.com/en/dev/releases/security/\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2026/may/05/security-releases/" ], "name" : "CVE-2026-6907", "mitigation" : { "value" : "To mitigate this issue, disable the `django.middleware.cache.UpdateCacheMiddleware` in your Django application's `settings.py` file by removing it from the `MIDDLEWARE` list. This action prevents the erroneous caching of requests with an asterisk in the `Vary` header, thereby eliminating the information disclosure vulnerability. Be aware that disabling this middleware will also deactivate Django's built-in caching functionality, which may affect application performance and behavior. A restart of the Django application server is required for this change to take effect.", "lang" : "en:us" }, "csaw" : false }