Home/ Blog/ Security news/ Article
Blog · Security news

Django shipped three low-severity security fixes. One of them deserves a closer look.

Django 6.0.7 and 5.2.16 patch three low-severity issues: a header injection, a cache data leak, and a heap over-read. Which one to check first and how to

Isometric lattice of beams with three faint hairline cracks at separate joints

Django shipped 6.0.7 and 5.2.16 on July 7, each carrying three security fixes. The Django team rates all three low severity. The CVE records attach CVSS scores of 4.2, 4.8, and 6.1, so the ceiling is medium rather than critical, and none of the three is reported as exploited. Fold this into your normal upgrade cadence; it is not a drop-everything patch.

What makes the release worth a close read is that every one of the three bugs fires only when your app uses one specific Django subsystem. A stock app on defaults is barely in scope. So the useful move is not to panic on the version number but to triage by feature: work out which of the three can actually reach you, then upgrade with that in mind.

Source: Django security release, July 7 2026. Fixed in 6.0.7 and 5.2.16.

The header injection is the one to look at first

CVE-2026-53878 is the top-scored of the three at CVSS 6.1, and it is the most interesting for where it does and does not bite. Django's DomainNameValidator let a newline character slip through inside a domain name. Feed it attacker-controlled text, let that text through, then write the value into an HTTP response, and the embedded newline can split the response and inject a header of the attacker's choosing.

The boundary matters. Django itself is safe here: HttpResponse rejects newlines in header values, and a form field built on CharField strips them before the validator is ever called. The exposure opens only when you invoke the validator directly, outside a form, on untrusted data, and then pass that data to something that assembles a raw header. Narrow, yes, but it is exactly the sort of path worth grepping for instead of assuming away. Any DomainNameValidator call off the standard form pipeline is your first stop. It is the same misplaced trust in a validated string that sits behind other HTTP header handling flaws and input-handling bugs in other web frameworks.

The cache bug can serve one user's data to another

CVE-2026-48588 carries the lowest score at CVSS 4.2, yet it has the most uncomfortable failure mode. Django's UpdateCacheMiddleware and the cache_page() decorator are meant to skip the cache whenever a response both sets a cookie and varies by cookie. They only applied that guard when the incoming request arrived with no cookies of its own. If the request already carried some unrelated cookie, a response holding private, per-user content could land in a shared cache and later be handed to a different visitor.

This reaches you only if you run Django's per-view or per-site page cache on a backend shared across users, with views that vary on cookies. If that is your setup, the upgrade closes the gap, and there is no clean way to reconstruct whether a stale entry was ever served to the wrong person. That uncertainty is the reason not to sit on this one when page caching is in play.

The GIS over-read is the narrowest

CVE-2026-53877 touches django.contrib.gis and nothing else. Build a GDALRaster out of an in-memory bytes value, then read its vsi_buffer, and the reader runs roughly 32 bytes past where its own buffer ends. That can leak nearby heap memory or drop the process with a segmentation fault. If you never touch the GIS raster features, this row is not yours. If you do build rasters from in-memory bytes, patch it and move on.

Upgrade, but triage by feature first

Move to Django 6.0.7 or 5.2.16. Anything on the 6.0 line below that patch, or on the 5.2 line below 5.2.16, is in scope, and Django warns that the release series it no longer supports went unchecked and may carry the same bugs, one more reason to get off them. Before the upgrade lands, run the short triage:

  • Grep for DomainNameValidator outside your form definitions. A call on untrusted input that feeds a response header is the real risk in this batch.
  • Check whether you use cache_page or UpdateCacheMiddleware with a shared cache backend and cookie-varying views. If so, treat CVE-2026-48588 as the priority.
  • Confirm whether anything builds a GDALRaster from bytes. If not, CVE-2026-53877 does not apply to you.

None of this is a fire drill. It is the routine, unglamorous work of keeping a framework current, the same discipline that triaging any web-stack advisory calls for: read what actually applies, patch on a schedule you control, and do not let a low-severity label talk you out of checking the one call site that turns a 6.1 into your problem. Credit for the reports goes to Chris Whyland for the cache issue and Bence Nagy for the header and raster issues, both named in Django's advisory.

IssueWhat breaksSeverity (Django / CVSS)Who is exposed
CVE-2026-53878DomainNameValidator lets a newline through a domain name, opening header injectionLow / 6.1Apps that run it on untrusted input and write the value into a response header
CVE-2026-48588A cookie-varying response gets cached and can leak private data across usersLow / 4.2Apps using cache_page or UpdateCacheMiddleware on a shared cache backend
CVE-2026-53877GDALRaster reads past the end of its bufferLow / 4.8GIS apps that build a GDALRaster from bytes and read vsi_buffer
Topics

Frequently asked questions

Which Django versions fix these vulnerabilities?

Django 6.0.7 and 5.2.16, both released July 7 2026, contain the fixes. The affected ranges are Django 6.0 before 6.0.7 and 5.2 before 5.2.16. Django notes that unsupported older series such as 5.0.x, 4.1.x and 3.2.x were not evaluated and may also be affected.

Are these Django bugs being exploited?

No public exploitation has been reported at the time of writing, and Django rates all three issues low severity. The CVE records assign CVSS scores of 4.2, 4.8 and 6.1. Treat this as a routine maintenance upgrade rather than an emergency patch.

What is CVE-2026-53878, the DomainNameValidator flaw?

DomainNameValidator accepted newline characters in domain names. If an application runs it on untrusted input and then places that value in an HTTP response, header injection can occur. Django itself is safe because HttpResponse blocks newlines in headers, and form fields strip them first.

How can a Django cache leak private data (CVE-2026-48588)?

UpdateCacheMiddleware and cache_page cached cookie-varying responses even when the request carried unrelated cookies. A shared cache could then store a response containing private data and serve it to another user. Only apps using Django's per-view or per-site page cache on a shared backend are exposed.

Does CVE-2026-53877 affect every Django app?

No. It only affects apps that use django.contrib.gis and build a GDALRaster from a bytes object, then read its vsi_buffer property. The reader runs about 32 bytes past its buffer, which can leak nearby heap memory or crash the process. Non-GIS apps are unaffected.

Do I need to patch Django immediately?

For most apps, there is no rush: upgrade on your normal cycle to 6.0.7 or 5.2.16. Move sooner if you run DomainNameValidator on untrusted input outside a form, use cookie-varying page caching on a shared cache, or parse rasters from bytes in a GIS app.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.