Django 6.0.5 release notes¶
May 5, 2026
Django 6.0.5 fixes three security issues with severity “low” and several bugs in 6.0.4.
CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass¶
ASGI requests with a missing or understated Content-Length header could
bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading
large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely
relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
This issue has severity “low” according to the Django security policy.
CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST¶
Response headers did not vary on cookies if a
session was not modified, but SESSION_SAVE_EVERY_REQUEST was
True. A remote attacker could steal a user’s session after that user visits
a cached public page.
This issue has severity “low” according to the Django security policy.
CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware¶
Previously, UpdateCacheMiddleware would
erroneously cache requests where the Vary header contained an asterisk
('*'). This could lead to private data being stored and served.
This issue has severity “low” according to the Django security policy.
Bugfixes¶
Fixed a misplaced
</div>in thedjango/contrib/admin/templates/admin/change_list.htmltemplate added in Django 6.0 that could be problematic when overriding thepaginationblock (#37029).Fixed a bug in Django 6.0 where deprecation warnings incorrectly skipped lines from third-party packages prefixed with “django” (#37067).
