EUVD-2026-27347CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 10 pypi packages depend on django (10 direct, 0 indirect)
Ecosystem-wide dependent count for version 5.2.
DescriptionNVD
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
AnalysisAI
Django 6.0 before 6.0.5 and 5.2 before 5.2.14 fail to vary response headers on session cookies when SESSION_SAVE_EVERY_REQUEST is enabled but the session is unmodified, allowing remote attackers with user interaction to steal session tokens from cached public pages. The vulnerability affects server configurations that cache responses aggressively while maintaining per-request session handling, exposing authenticated users to session hijacking after visiting pages served from cache.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today