Bug 2497327 (CVE-2026-48588)

Summary: CVE-2026-48588 django: Django: Information disclosure due to improper caching of Set-Cookie responses
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anthomas, brasmith, cmyers, cochase, dnakabaa, dranck, dschmidt, ehelms, ggainey, jlanda, jmitchel, jpasqual, juwatts, jwong, kaycoth, kshier, lcouzens, mhulan, nmoumoul, omaciel, osousa, pbohmill, pcreech, rchan, security-response-team, simaishi, smallamp, stcannon, teagle, tmalecek, ttakamiy, yguenane, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Django. When django.middleware.cache.UpdateCacheMiddleware or django.views.decorators.cache.cache_page is in use, responses that set a cookie are not excluded from caching if the request includes any cookie, even when that cookie is unrelated to the response (for example, a language or theme preference). A remote attacker can retrieve a cached response intended for another user and obtain sensitive cookie data from the stored Set-Cookie header.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-07-07   

Description OSIDB Bzimport 2026-07-06 11:42:09 UTC
A flaw was found in Django. UpdateCacheMiddleware and the cache_page decorator fail to skip caching for responses that set a cookie when the incoming request already carries an unrelated cookie. This allows responses containing session or other sensitive Set-Cookie headers to be stored in Django's shared cache, leading to information disclosure.