summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJake Howard <git@theorangeone.net>2026-05-12 16:29:56 +0100
committerNatalia <124304+nessita@users.noreply.github.com>2026-06-03 08:37:26 -0300
commitd618d7ae4fec727d5b582bd24f803c28d17bf7cd (patch)
tree51fdf6600a8756f7c9065bfe8c81b91a696f2117 /docs
parentdf887f50198593a0e5b4638bfddbbd43a30fd276 (diff)
Fixed CVE-2026-8404 -- Used Cache-Control directives case-insensitively in UpdateCacheMiddleware.
Thanks Ahmed Badawe for the report, and Jacob Walls for reviews.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/5.2.15.txt16
-rw-r--r--docs/releases/6.0.6.txt16
2 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/5.2.15.txt b/docs/releases/5.2.15.txt
index 14796f8581..c068600280 100644
--- a/docs/releases/5.2.15.txt
+++ b/docs/releases/5.2.15.txt
@@ -35,3 +35,19 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected.
This issue has severity "low" according to the :ref:`Django security policy
<severity-levels>`.
+
+CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives
+=================================================================================================
+
+:class:`~django.middleware.cache.UpdateCacheMiddleware` and
+:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses
+marked with private ``Cache-Control`` directives when using mixed or uppercase
+values (e.g. ``Private``).
+
+The :func:`~django.views.decorators.cache.cache_control` decorator and
+:func:`~django.utils.cache.patch_cache_control` function were not affected,
+since they normalize directives to lowercase. This issue only affects responses
+where ``Cache-Control`` is set manually.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<severity-levels>`.
diff --git a/docs/releases/6.0.6.txt b/docs/releases/6.0.6.txt
index 20ae1db93c..afcbbe0eb2 100644
--- a/docs/releases/6.0.6.txt
+++ b/docs/releases/6.0.6.txt
@@ -37,6 +37,22 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected.
This issue has severity "low" according to the :ref:`Django security policy
<severity-levels>`.
+CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives
+=================================================================================================
+
+:class:`~django.middleware.cache.UpdateCacheMiddleware` and
+:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses
+marked with private ``Cache-Control`` directives when using mixed or uppercase
+values (e.g. ``Private``).
+
+The :func:`~django.views.decorators.cache.cache_control` decorator and
+:func:`~django.utils.cache.patch_cache_control` function were not affected,
+since they normalize directives to lowercase. This issue only affects responses
+where ``Cache-Control`` is set manually.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<severity-levels>`.
+
Bugfixes
========