The Wire · Showcase
DJANGO 6.0.5 SHIPS WITH CACHE HEADER FIX
By RepoJournal · Filed · About Django
Django 6.0.5 is live and patches CVE-2026-6907, a cache poisoning vulnerability in the Vary header handling that could expose sensitive data across requests.
The djangoproject.com requirements bump signals Django 6.0.5 is production-ready [1]. The release addresses a critical issue where improper Vary header caching could allow attackers to bypass cache validation and serve poisoned responses to subsequent requests. This is the kind of silent vulnerability that lives in production undetected — your cache layer silently violates the HTTP spec and serves the wrong response to the wrong user. The fix tightens cache key generation to respect Vary headers correctly. If you're running 6.0.x, this is not optional. Ship it before your next deploy.
Action items
- → Upgrade Django to 6.0.5 immediately django/django [immediate]
- → Audit cache headers in your middleware if you've customized Vary handling django/django [plan]
References
- [1] Bump django from 6.0.4 to 6.0.5 in /requirements ↗ django/djangoproject.com
FAQ
- What changed in Django on May 11, 2026?
- Django 6.0.5 is live and patches CVE-2026-6907, a cache poisoning vulnerability in the Vary header handling that could expose sensitive data across requests.
- What should Django teams do about it?
- Upgrade Django to 6.0.5 immediately • Audit cache headers in your middleware if you've customized Vary handling
- Which Django repositories shipped on May 11, 2026?
- django/djangoproject.com