Django 6.0.5: Three CVEs — Session Fixation, Cache Exposure, Upload Bypass

Source: Django Project Date: 2026-05-05 *URL: https://www.djangoproject.com/weblog/2026/may/05/security-releases/

Summary

Django 6.0.5 and 5.2.14 fix three security vulnerabilities, all rated low severity. CVE-2026-5766: ASGI file upload limit bypass via missing/understated Content-Length header. CVE-2026-35192: session fixation when SESSION_SAVE_EVERY_REQUEST is True and response caching is active. CVE-2026-6907: UpdateCacheMiddleware erroneously caches Vary: * requests, exposing private data. All three affect Django 6.0 before 6.0.5.

Implications

• Directly actionable: The ASGI upload bypass (CVE-2026-5766) matters for any ASGI deployment. The session fixation (CVE-2026-35192) matters for any cached authenticated surface.
• Feeds the broader security advisory pattern: after 85+ days without a Django release, three CVEs land simultaneously. The low severity ratings are reassuring but the cache/session interaction bugs are subtle — the kind that pass code review.