Django 5.2.14 release notes¶
May 5, 2026
Django 5.2.14 fixes three security issues with severity “low” in 5.2.13. Django 5.2.14 fixes three security issue with severity “low” in 5.2.13.
CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass¶
ASGI requests with a missing or understated Content-Length header could
bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading
large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely
relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
This issue has severity “low” according to the Django security policy.
CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST¶
Response headers did not vary on cookies if a
session was not modified, but SESSION_SAVE_EVERY_REQUEST was
True. A remote attacker could steal a user’s session after that user visits
a cached public page.
This issue has severity “low” according to the Django security policy.
CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware¶
Previously, UpdateCacheMiddleware would
erroneously cache requests where the Vary header contained an asterisk
('*'). This could lead to private data being stored and served.
This issue has severity “low” according to the Django security policy.
