Django: Critical Security Updates
Django addressed three CVE vulnerabilities with commits fixing ASGI file upload limits, request caching issues, and session cookie headers. Release notes for version 6.0.6 were also prepared.
Duration: PT1M57S
Episode overview
This episode is a short developer briefing from Django.
It explains recent repository work in plain language.
- Show: Django
- Published: 2026-05-05T00:00:00Z
- Audio duration: PT1M57S
Transcript excerpt
This excerpt keeps the crawler page concise. Listen to the episode or use the RSS feed for the full update.
Good morning, this is your Django development update for May 5th, 2026.
The Django team pushed five commits today, all focused on critical security fixes. Jacob Walls addressed CVE-2026-5766, fixing a vulnerability in the ASGI deployment's MemoryFileUploadHandler where the DATA_UPLOAD_MAX_MEMORY_SIZE limit could be bypassed. The issue stemmed from ASGI not guaranteeing that…
Sarah Boyce tackled CVE-2026-6907, preventing Django from caching requests when the Vary header contains an asterisk. This addresses a potential cache poisoning vulnerability where responses could be inappropriately cached and served to different users.
Jake Howard resolved CVE-2026-35192, ensuring the Vary header is properly sent when setting session cookies with SESSION_SAVE_EVERY_REQUEST enabled. This prevents potential session fixation attacks by ensuring proper cache behavior across different clients.
All three fixes include comprehensive test coverage and updates to release documentation for versions 5.2.14 and 6.0.5. The team also added stub release notes for the upcoming 6.0.6 version and updated the security archive with details on all three CVEs.
What's next: Watch for the official release announcements…
Nearby episodes from Django
- Python 3.15 Compatibility and Admin Calendar Fixes
- Security and Forms Enhancement
- Security and Email Infrastructure Updates
- Security Triple-Header and Base64 Validation
- Weekly Recap - Security & Template Engine Improvements
- MongoDB Compatibility Fix
- RemoteUserMiddleware Async Improvements
- Task Serialization and PostgreSQL Pool Fixes