CVE-2026-35192

UNKNOWN 0.0

Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

CWE	CWE-539
Vendor	djangoproject
Product	django
Published	May 5, 2026

Stay Ahead of the Next One

Get instant alerts for djangoproject django

Be the first to know when new unknown vulnerabilities affecting djangoproject django are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

djangoproject / Django

6.0 < 6.0.5 5.2 < 5.2.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.djangoproject.com: https://docs.djangoproject.com/en/dev/releases/security/ groups.google.com: https://groups.google.com/g/django-announce djangoproject.com: https://www.djangoproject.com/weblog/2026/may/05/security-releases/

Credits

🔍 Cantina Jake Howard Sarah Boyce