Update dependency django to v6.0.6 [SECURITY]

[ll-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
django (changelog)	project.dependencies	patch	==6.0.5 → ==6.0.6

---

BIT-django-2026-35193 / CVE-2026-35193 / PYSEC-2026-197

More information

Details

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Shai Berger for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

• https://groups.google.com/g/django-announce
• https://docs.djangoproject.com/en/dev/releases/security/
• https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

---

BIT-django-2026-48587 / CVE-2026-48587 / PYSEC-2026-198

More information

Details

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
django.utils.cache.has_vary_header() in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Navid Rezazadeh for reporting this issue.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://groups.google.com/g/django-announce
• https://docs.djangoproject.com/en/dev/releases/security/
• https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

---

BIT-django-2026-6873 / CVE-2026-6873 / PYSEC-2026-199

More information

Details

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
django.http.HttpRequest.get_signed_cookie in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct (name, salt) pairs that produce the same concatenation.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Peng Zhou for reporting this issue.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

• https://groups.google.com/g/django-announce
• https://docs.djangoproject.com/en/dev/releases/security/
• https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

---

BIT-django-2026-7666 / CVE-2026-7666 / PYSEC-2026-200

More information

Details

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when fail_silently=True, which allows on-path network attackers to read email content via cleartext interception.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kasper Dupont for reporting this issue.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

• https://groups.google.com/g/django-announce
• https://docs.djangoproject.com/en/dev/releases/security/
• https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

---

BIT-django-2026-8404 / CVE-2026-8404 / PYSEC-2026-201

More information

Details

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their Cache-Control directives used uppercase or mixed-case values.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmed Badawe for reporting this issue.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://groups.google.com/g/django-announce
• https://docs.djangoproject.com/en/dev/releases/security/
• https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

---

Release Notes

django/django (django)

v6.0.6

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[ll-renovate-bot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: uv.lock

Command failed: uv lock --upgrade-package django
Using CPython 3.14.4 interpreter at: /opt/containerbase/tools/python/3.14.4/bin/python3.14
  × No solution found when resolving dependencies:
  ╰─▶ Because there is no version of django==6.0.6 and your project depends
      on django==6.0.6, we can conclude that your project's requirements are
      unsatisfiable.

hint: `django` was filtered by `exclude-newer` to only include packages uploaded before 2026-05-31T00:47:56.232512678Z. The requested version, v6.0.6, was published at 2026-06-03T13:02:41.72Z. Consider using `exclude-newer-package` to override the cutoff for this package.

[codecov]

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.