Common Weakness Enumeration

CWE-524

Use of Cache Containing Sensitive Information

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

CVE-2026-50184 (GCVE-0-2026-50184)

Vulnerability from cvelistv5 – Published: 2026-06-22 15:42 – Updated: 2026-06-23 13:48
VLAI
Title
Angular: Request Credential & Cache Policy Stripping in Angular Service Worker
Summary
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
Affected: >= 21.0.0-next.0, < 21.2.15
Affected: >= 20.0.0-next.0, < 20.3.22
Affected: >= 19.0.0-next.0, < 19.2.23
Affected: <= 18.2.14
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50184",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T13:48:06.163682Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T13:48:24.684Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "angular",
          "vendor": "angular",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
            },
            {
              "status": "affected",
              "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
            },
            {
              "status": "affected",
              "version": "\u003c= 18.2.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: \u0027omit\u0027) and the HTTP cache mode configuration (such as cache: \u0027no-store\u0027). These are reverted back to standard browser-default parameters (credentials: \u0027same-origin\u0027 and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker\u0027s engine, making private page states accessible or persistent inside the client\u0027s local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T15:50:48.049Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv"
        },
        {
          "name": "https://github.com/angular/angular/pull/68904",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/angular/angular/pull/68904"
        }
      ],
      "source": {
        "advisory": "GHSA-95qp-cmmw-mgqv",
        "discovery": "UNKNOWN"
      },
      "title": "Angular: Request Credential \u0026 Cache Policy Stripping in Angular Service Worker"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-50184",
    "datePublished": "2026-06-22T15:42:05.167Z",
    "dateReserved": "2026-06-03T22:05:13.644Z",
    "dateUpdated": "2026-06-23T13:48:24.684Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53943 (GCVE-0-2026-53943)

Vulnerability from cvelistv5 – Published: 2026-06-24 18:13 – Updated: 2026-06-24 18:48
VLAI
Title
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
Summary
Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected cache configurations, that response could be stored and served to subsequent visitors requesting the same page, allowing cache poisoning of request-specific preview output. When running Ghost's frontend and admin panel on the same domain this could be used to take over staff user accounts. When running these on different domains staff accounts have no exposure. This vulnerability is fixed in 6.37.0.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
TryGhost Ghost Affected: >= 4.0.0, < 6.37.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53943",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T18:40:56.579441Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T18:48:56.416Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Ghost",
          "vendor": "TryGhost",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 6.37.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Ghost is a Node.js content management system. From  until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected cache configurations, that response could be stored and served to subsequent visitors requesting the same page, allowing cache poisoning of request-specific preview output. When running Ghost\u0027s frontend and admin panel on the same domain this could be used to take over staff user accounts. When running these on different domains staff accounts have no exposure. This vulnerability is fixed in 6.37.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T18:13:04.114Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-62q6-4hv4-vjrw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-62q6-4hv4-vjrw"
        }
      ],
      "source": {
        "advisory": "GHSA-62q6-4hv4-vjrw",
        "discovery": "UNKNOWN"
      },
      "title": "Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-53943",
    "datePublished": "2026-06-24T18:13:04.114Z",
    "dateReserved": "2026-06-11T15:50:01.280Z",
    "dateUpdated": "2026-06-24T18:48:56.416Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-59213 (GCVE-0-2026-59213)

Vulnerability from cvelistv5 – Published: 2026-07-09 16:55 – Updated: 2026-07-09 17:52
VLAI
Title
Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user’s model list to another caller during the TTL window. This issue is fixed in version 0.10.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-524 - Use of Cache Containing Sensitive Information
Assigner
Impacted products
Vendor Product Version
open-webui open-webui Affected: >= 0.6.27, < 0.10.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-59213",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T17:52:02.458867Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T17:52:21.479Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.6.27, \u003c 0.10.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, get_all_models handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of key_builder, causing permission-filtered per-user model lists to share a static cache entry and exposing one user\u2019s model list to another caller during the TTL window. This issue is fixed in version 0.10.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T16:55:00.032Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wp3-xxj9-5jqq"
        },
        {
          "name": "https://github.com/open-webui/open-webui/pull/25783",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/pull/25783"
        },
        {
          "name": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/commit/0fc630b34b2899599dabffffa012afd47599aa75"
        },
        {
          "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
        }
      ],
      "source": {
        "advisory": "GHSA-3wp3-xxj9-5jqq",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: Cross-user model-list exposure via static cache key in get_all_models (aiocache key= vs key_builder= misuse)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-59213",
    "datePublished": "2026-07-09T16:55:00.032Z",
    "dateReserved": "2026-07-02T21:05:02.924Z",
    "dateUpdated": "2026-07-09T17:52:21.479Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6907 (GCVE-0-2026-6907)

Vulnerability from cvelistv5 – Published: 2026-05-05 14:50 – Updated: 2026-05-06 15:25
VLAI
Title
Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
Summary
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-524 - Use of Cache Containing Sensitive Information
Assigner
DSF
Impacted products
Vendor Product Version
djangoproject Django Affected: 6.0 , < 6.0.5 (python)
Unaffected: 6.0.5 (python)
Affected: 5.2 , < 5.2.14 (python)
Unaffected: 5.2.14 (python)
Create a notification for this product.
Date Public
2026-05-05 09:00
Credits
Ahmad Sadeddin Sarah Boyce Sarah Boyce
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6907",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T17:03:42.610418Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-06T15:25:33.698Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.5",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.5",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.14",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.14",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Ahmad Sadeddin"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Sarah Boyce"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Sarah Boyce"
        }
      ],
      "datePublic": "2026-05-05T09:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\u003c/p\u003e\u003cp\u003e`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`\u0026#x27;*\u0026#x27;`). This can lead to private data being stored and served.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Ahmad Sadeddin for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`\u0027*\u0027`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-204",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T14:50:02.594Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.5 and 5.2.14",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/may/05/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-06T10:17:03.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-04-23T10:17:26.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-05-05T09:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-6907",
    "datePublished": "2026-05-05T14:50:02.594Z",
    "dateReserved": "2026-04-23T11:19:30.877Z",
    "dateUpdated": "2026-05-06T15:25:33.698Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9678 (GCVE-0-2026-9678)

Vulnerability from cvelistv5 – Published: 2026-06-17 17:04 – Updated: 2026-06-17 18:05
VLAI
Title
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Summary
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored. In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key. Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: If upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-524 - Use of Cache Containing Sensitive Information
Assigner
Impacted products
Vendor Product Version
undici undici Affected: 7.0.0 , < 7.28.0 (semver)
Unaffected: 7.28.0 (semver)
Affected: 8.0.0 , < 8.5.0 (semver)
Unaffected: 8.5.0 (semver)
Create a notification for this product.
Credits
mcollina UlisesGascon AndrewMohawk
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9678",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T18:05:24.378630Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T18:05:30.162Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/undici",
          "product": "undici",
          "vendor": "undici",
          "versions": [
            {
              "lessThan": "7.28.0",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "7.28.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "mcollina"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "UlisesGascon"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "AndrewMohawk"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Impact:\nUndici\u0027s cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user\u0027s authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream."
            }
          ],
          "value": "Impact:\nUndici\u0027s cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user\u0027s authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T17:04:09.680Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6"
        },
        {
          "url": "https://cna.openjsf.org/security-advisories.html"
        }
      ],
      "title": "undici vulnerable to cross-user information disclosure via shared cache whitespace bypass",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-9678",
    "datePublished": "2026-06-17T17:04:09.680Z",
    "dateReserved": "2026-05-27T08:05:04.453Z",
    "dateUpdated": "2026-06-17T18:05:30.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}






Mitigation

Phase: Architecture and Design

Description:

  • Protect information stored in cache.
Mitigation

Phase: Architecture and Design

Description:

  • Do not store unnecessarily sensitive information in the cache.
Mitigation

Phase: Architecture and Design

Description:

  • Consider using encryption in the cache.
CAPEC-204: Lifting Sensitive Data Embedded in Cache

An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.

Back to CWE stats page