From d618d7ae4fec727d5b582bd24f803c28d17bf7cd Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 12 May 2026 16:29:56 +0100 Subject: Fixed CVE-2026-8404 -- Used Cache-Control directives case-insensitively in UpdateCacheMiddleware. Thanks Ahmed Badawe for the report, and Jacob Walls for reviews. --- docs/releases/5.2.15.txt | 16 ++++++++++++++++ docs/releases/6.0.6.txt | 16 ++++++++++++++++ 2 files changed, 32 insertions(+) (limited to 'docs') diff --git a/docs/releases/5.2.15.txt b/docs/releases/5.2.15.txt index 14796f8581..c068600280 100644 --- a/docs/releases/5.2.15.txt +++ b/docs/releases/5.2.15.txt @@ -35,3 +35,19 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected. This issue has severity "low" according to the :ref:`Django security policy `. + +CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives +================================================================================================= + +:class:`~django.middleware.cache.UpdateCacheMiddleware` and +:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses +marked with private ``Cache-Control`` directives when using mixed or uppercase +values (e.g. ``Private``). + +The :func:`~django.views.decorators.cache.cache_control` decorator and +:func:`~django.utils.cache.patch_cache_control` function were not affected, +since they normalize directives to lowercase. This issue only affects responses +where ``Cache-Control`` is set manually. + +This issue has severity "low" according to the :ref:`Django security policy +`. diff --git a/docs/releases/6.0.6.txt b/docs/releases/6.0.6.txt index 20ae1db93c..afcbbe0eb2 100644 --- a/docs/releases/6.0.6.txt +++ b/docs/releases/6.0.6.txt @@ -37,6 +37,22 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected. This issue has severity "low" according to the :ref:`Django security policy `. +CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives +================================================================================================= + +:class:`~django.middleware.cache.UpdateCacheMiddleware` and +:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses +marked with private ``Cache-Control`` directives when using mixed or uppercase +values (e.g. ``Private``). + +The :func:`~django.views.decorators.cache.cache_control` decorator and +:func:`~django.utils.cache.patch_cache_control` function were not affected, +since they normalize directives to lowercase. This issue only affects responses +where ``Cache-Control`` is set manually. + +This issue has severity "low" according to the :ref:`Django security policy +`. + Bugfixes ======== -- cgit v1.3