Django Rushes Patch for Three Critical Vulnerabilities in Version 6.0.5

The Django Project has released version 6.0.5, addressing three confirmed security vulnerabilities tracked as CVE-2026-6907, CVE-2026-35192, and CVE-2026-5766. The patch appears to carry significant weight: all three CVEs landed in the same release cycle, suggesting either coordinated discovery or an assessment that the flaws warranted bundled remediation. Organizations running Django-powered applications should treat this as a priority update.

The first flaw, CVE-2026-6907, involves improper handling of the Vary header in request caching—a vulnerability that could cause servers to serve stale or incorrect cached responses to different users. CVE-2026-35192 addresses a related issue where the Vary header failed to trigger properly when setting session data, potentially exposing session state across users. The third patch, CVE-2026-5766, enforces the DATA_UPLOAD_MAX_MEMORY_SIZE limit within Django's memory-file storage handling, closing a bypass vector that could have allowed oversized uploads to slip past configured restrictions.

Together, these vulnerabilities paint a consistent picture: misconfigured or exploited caching logic combined with insufficient boundary enforcement. For any organization handling user sessions, authenticated content, or file uploads through Django, the risk of data leakage or session cross-contamination is non-trivial. Security teams running Django instances should audit their current version immediately, cross-reference against the official Django security advisories, and deploy 6.0.5 or later. Given that two of the three CVEs share the Vary header as a common thread, particular scrutiny should fall on middleware and caching configurations in production environments.