CWE-524 (Use of Cache Containing Sensitive Information) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-35193 | 2026-06-03 | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for reque… |
| CVE-2026-48901 | 2026-05-26 | The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. |
| CVE-2026-32244 | 2026-05-19 | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivi… |
| CVE-2026-44457 | 2026-05-13 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Au… |
| CVE-2026-6907 | 2026-05-05 | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). Th… |
| CVE-2026-22741 | 2026-04-29 | Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the app… |
| CVE-2025-14806 | 2026-03-17 | IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an attacker to trick the caching mechanism into storing and serving sensitive, user-specific responses as publicly cacheable resources. |
| CVE-2026-27205 | 2026-02-21 | Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Us… |
| CVE-2026-25540 | 2026-02-04 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FET… |
| CVE-2026-24472 | 2026-01-27 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper hand… |
| CVE-2025-69581 | 2026-01-16 | An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the … |
| CVE-2025-69202 | 2025-12-29 | Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached… |
| CVE-2025-43410 | 2025-12-12 | The issue was addressed with improved handling of caches. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.2. An attacker with physical access may be able to view delet… |
| CVE-2025-64696 | 2025-12-09 | Android App "Brother iPrint&Scan" versions 6.13.7 and earlier improperly uses an external cache directory. If exploited, application-specific files may be accessed from other malicious applications. |
| CVE-2025-65681 | 2025-11-26 | An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-contr… |
| CVE-2025-64762 | 2025-11-21 | The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated res… |
| CVE-2025-61598 | 2025-10-28 | Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may ca… |
| CVE-2025-9901 | 2025-09-03 | A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on reque… |
| CVE-2025-57752 | 2025-08-29 | Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key conf… |
| CVE-2025-5141 | 2025-06-17 | A binary in the BoKS Server Agent component of Fortra's Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7.2.0.17), 8.1.0 (up to 8.1.0.22), 8.1.1 (up to 8.1.1.7), 9.0.0 (up to 9.0.0.1) a… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Taxonomy_Mappings |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Name |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences, Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships, Taxonomy_Mappings |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2017-01-19 | CWE Content Team | 2.10 | — | updated Related_Attack_Patterns |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Taxonomy_Mappings |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Description, Name, Relationships, Type |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Observed_Examples |