PYSEC-2026-629

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2026-629.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-629
Aliases
Published
2026-07-02T14:13:19.912742Z
Modified
2026-07-06T08:00:11.820294769Z
Summary
Django Improper Access Control
Details

The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.95
Fixed
1.0

Affected versions

0.*
0.95

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2026-629.yaml"