Update dependency django to v6.0.5 [SECURITY]

renovatebot commented

2026-05-09 07:10:00 +00:00

Collaborator

This PR contains the following updates:

Package	Type	Update	Change
django (changelog)	project.dependencies	patch	`6.0.4` → `6.0.5`

Django Uses Cache Containing Sensitive Information

BIT-django-2026-6907 / CVE-2026-6907 / GHSA-5hrc-gvxj-w55p

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ('*'). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Ahmad Sadeddin for reporting this issue.

Severity

CVSS Score: 2.3 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Django Uses Persistent Cookies Containing Sensitive Information

BIT-django-2026-35192 / CVE-2026-35192 / GHSA-7h2m-m8vj-598h

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Cantina for reporting this issue.

Severity

CVSS Score: 2.3 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Django has an Improper Handling of Length Parameter Inconsistency

BIT-django-2026-5766 / CVE-2026-5766 / GHSA-w26r-rmm8-9c29

More information

Details

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Kyle Agronick for reporting this issue.

Severity

CVSS Score: 6.3 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

django/django (django)

`v6.0.5`

Compare Source

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [django](https://github.com/django/django) ([changelog](https://docs.djangoproject.com/en/stable/releases/)) | project.dependencies | patch | `6.0.4` → `6.0.5` | --- ### Django Uses Cache Containing Sensitive Information BIT-django-2026-6907 / [CVE-2026-6907](https://nvd.nist.gov/vuln/detail/CVE-2026-6907) / [GHSA-5hrc-gvxj-w55p](https://github.com/advisories/GHSA-5hrc-gvxj-w55p) <details> <summary>More information</summary> #### Details An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django thanks Ahmad Sadeddin for reporting this issue. #### Severity - CVSS Score: 2.3 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2026-6907](https://nvd.nist.gov/vuln/detail/CVE-2026-6907) - [https://docs.djangoproject.com/en/dev/releases/security](https://docs.djangoproject.com/en/dev/releases/security) - [https://github.com/django/django](https://github.com/django/django) - [https://groups.google.com/g/django-announce](https://groups.google.com/g/django-announce) - [https://www.djangoproject.com/weblog/2026/may/05/security-releases](https://www.djangoproject.com/weblog/2026/may/05/security-releases) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-5hrc-gvxj-w55p) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Django Uses Persistent Cookies Containing Sensitive Information BIT-django-2026-35192 / [CVE-2026-35192](https://nvd.nist.gov/vuln/detail/CVE-2026-35192) / [GHSA-7h2m-m8vj-598h](https://github.com/advisories/GHSA-7h2m-m8vj-598h) <details> <summary>More information</summary> #### Details An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django thanks Cantina for reporting this issue. #### Severity - CVSS Score: 2.3 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2026-35192](https://nvd.nist.gov/vuln/detail/CVE-2026-35192) - [https://docs.djangoproject.com/en/dev/releases/security](https://docs.djangoproject.com/en/dev/releases/security) - [https://github.com/django/django](https://github.com/django/django) - [https://groups.google.com/g/django-announce](https://groups.google.com/g/django-announce) - [https://www.djangoproject.com/weblog/2026/may/05/security-releases](https://www.djangoproject.com/weblog/2026/may/05/security-releases) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7h2m-m8vj-598h) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Django has an Improper Handling of Length Parameter Inconsistency BIT-django-2026-5766 / [CVE-2026-5766](https://nvd.nist.gov/vuln/detail/CVE-2026-5766) / [GHSA-w26r-rmm8-9c29](https://github.com/advisories/GHSA-w26r-rmm8-9c29) <details> <summary>More information</summary> #### Details An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django thanks Kyle Agronick for reporting this issue. #### Severity - CVSS Score: 6.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2026-5766](https://nvd.nist.gov/vuln/detail/CVE-2026-5766) - [https://docs.djangoproject.com/en/dev/releases/security](https://docs.djangoproject.com/en/dev/releases/security) - [https://github.com/django/django](https://github.com/django/django) - [https://groups.google.com/g/django-announce](https://groups.google.com/g/django-announce) - [https://www.djangoproject.com/weblog/2026/may/05/security-releases](https://www.djangoproject.com/weblog/2026/may/05/security-releases) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-w26r-rmm8-9c29) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>django/django (django)</summary> ### [`v6.0.5`](https://github.com/django/django/compare/6.0.4...6.0.5) [Compare Source](https://github.com/django/django/compare/6.0.4...6.0.5) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovatebot added 1 commit

2026-05-09 07:10:00 +00:00

Update dependency django to v6.0.5 [SECURITY]

ci / build (push) Successful in 32s

Details

ci / test (push) Successful in 2s

Details

ci / push (push) Failing after 2s

Details

5116631033

jonathan merged commit 5116631033 into main

2026-05-09 18:11:33 +00:00

jonathan deleted branch renovate/pypi-django-vulnerability

2026-05-09 18:11:34 +00:00

Rows
Columns

Update dependency django to v6.0.5 [SECURITY] #7

Django Uses Cache Containing Sensitive Information

Details

Severity

References

Django Uses Persistent Cookies Containing Sensitive Information

Details

Severity

References

Django has an Improper Handling of Length Parameter Inconsistency

Details

Severity

References

Release Notes

v6.0.5

Configuration

`v6.0.5`