Django security releases issued: 6.0.5 and 5.2.14 | Weblog | Django

Django security releases issued: 6.0.5 and 5.2.14 | Weblog | Django

News

Title: Django security releases issued: 6.0.5 and 5.2.14

URL Source: https://www.djangoproject.com/weblog/2026/may/05/security-releases/

Published Time: 2026-05-05T09:00:00

Markdown Content:

Django security releases issued: 6.0.5 and 5.2.14 | Weblog | Django

Skip to main content

Django The web framework for perfectionists with deadlines.

Menu Main navigation * Overview * Download * Documentation * News * Code * Issues * Community * Foundation * ♥ Donate

Search Submit

Toggle theme (current theme: auto)

Toggle theme (current theme: light)

Toggle theme (current theme: dark)

Toggle Light / Dark / Auto color theme

News & Events

Until May 7, 2026, get PyCharm for 30% off!

Get 💸✨30%✨💸 off a new or renewal annual PyCharm Professional license while supporting the Django Software Foundation.

🎁 Now includes renewals, and every purchase helps fund the DSF. Get PyCharm for 30% off

Django security releases issued: 6.0.5 and 5.2.14

Posted by Sarah Boyce on May 5, 2026

In accordance with our security release policy, the Django team is issuing releases for Django 6.0.5 and Django 5.2.14. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass

ASGI requests with a missing or understated Content-Length header could bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE.

This issue has severity "low" according to the Django security policy.

This issue was originally highlighted by Kyle Agronick in Trac. Thanks to Jacob Walls for following up and reporting it.

CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

Response headers did not vary on cookies if a session was not modified, but SESSION_SAVE_EVERY_REQUEST was True. A remote attacker could steal a user's session after that user visits a cached public page.

This issue has severity "low" according to the Django security policy.

CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware

Previously, django.middleware.cache.UpdateCacheMiddleware would erroneously cache requests where the Vary header contained an asterisk ('*'). This could lead to private data being stored and served.

This issue has severity "low" according to the Django security policy.

Thanks to Ahmad Sadeddin for the report.

Affected supported versions

  • Django main
  • Django 6.0
  • Django 5.2

Resolution

Patches to resolve the issue have been applied to Django's main, 6.0, and 5.2 branches. The patches may be obtained from the following changesets.

CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass

CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware

The following releases have been issued

The PGP key ID used for this release is Sarah Boyce: 3955B19851EA96EF

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance, nor via the Django Forum. Please see our security policies for further information.

Back to Top

Additional Information

Support Django!

Upcoming Events

Want your event listed here?

Diamond and Platinum Members

Archives

Expand All / Collapse All * ## 2026

*   [May 2026](https://www.djangoproject.com/weblog/2026/may/)
*   [April 2026](https://www.djangoproject.com/weblog/2026/apr/)
*   [March 2026](https://www.djangoproject.com/weblog/2026/mar/)
*   [February 2026](https://www.djangoproject.com/weblog/2026/feb/)
*   [January 2026](https://www.djangoproject.com/weblog/2026/jan/)

RSS Feeds

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us

Django

© 2005-2026 Django Software Foundation and individual contributors. Django is a registered trademark of the Django Software Foundation.