[Django] #37101: Vary header cache key collision from missing delimiter

Django

unread,

May 15, 2026, 10:41:53 AMMay 15

to django-...@googlegroups.com

#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Type: Bug
Status: new | Component: Core
| (Cache system)
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When a cached view varies on multiple headers, the values of those headers
are concatenated together in the cache key. There is no delimiter, meaning
the cache keys could overlap:

{{{
X-Region: US
X-Tenant: victim-corp
}}}

{{{

X-Region: U
X-Tenant: Svictim-corp
}}}

The above 2 examples would result in the same cache key, despite being
different values. Changes to the cache key should be made to ensure values
in this way don't collide.

----

This was previously reported to the Security Team by GeonHa. However,
because it requires in depth knowledge of the system, a lack of user
validation and similar values, it is not considered a vulnerability.
--
Ticket URL: <https://code.djangoproject.com/ticket/37101>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,

May 15, 2026, 12:08:53 PMMay 15

to django-...@googlegroups.com

#37101: Vary header cache key collision from missing delimiter
-------------------------------------+------------------------------------

Reporter: Jake Howard | Owner: (none)

Type: Bug | Status: new
Component: Core (Cache system) | Version: 6.0

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------

Changes (by Sarah Boyce):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:1>

Django

unread,

May 15, 2026, 1:00:54 PMMay 15

to django-...@googlegroups.com

#37101: Vary header cache key collision from missing delimiter

-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: gonas0919
Type: Bug | Status: assigned

-------------------------------------+-------------------------------------
Changes (by gonas0919):

* owner: (none) => gonas0919
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:2>

Django

unread,

1:02 PM (3 hours ago) 1:02 PM

to django-...@googlegroups.com

#37101: Vary header cache key collision from missing delimiter

-------------------------------------+------------------------------------
Reporter: Jake Howard | Owner: gonas

Comment (by Jason Judkins):

@Gonas Hey, are you still working on this? Happy to collaborate or take it
over if you've moved on.
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:3>

Django

unread,

1:23 PM (3 hours ago) 1:23 PM

to django-...@googlegroups.com

#37101: Vary header cache key collision from missing delimiter
-------------------------------------+------------------------------------
Reporter: Jake Howard | Owner: gonas
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------

Comment (by Jacob Walls):

We're hoping to land a fix for this before the 6.1 beta (June 24), so if
we don't have a PR by early next week, I'll need to pick it up myself.
Happy for you to make a start, Jason.
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:4>

Reply all

Reply to author

Forward