May 5, 2026
Django 6.0.5 fixes three security issues with severity «low» and several bugs in 6.0.4.
ASGI requests with a missing or understated Content-Length header could
bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading
large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely
relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
This issue has severity «low» according to the Django security policy.
SESSION_SAVE_EVERY_REQUEST¶Response headers did not vary on cookies if a
session was not modified, but SESSION_SAVE_EVERY_REQUEST was
True. A remote attacker could steal a user’s session after that user visits
a cached public page.
This issue has severity «low» according to the Django security policy.
Vary: * in UpdateCacheMiddleware¶Previously, UpdateCacheMiddleware would
erroneously cache requests where the Vary header contained an asterisk
('*'). This could lead to private data being stored and served.
This issue has severity «low» according to the Django security policy.
Fixed a misplaced </div> in the
django/contrib/admin/templates/admin/change_list.html template added in
Django 6.0 that could be problematic when overriding the pagination block
(#37029).
Fixed a bug in Django 6.0 where deprecation warnings incorrectly skipped lines from third-party packages prefixed with «django» (#37067).
Μαΐ 13, 2026