Moderate severityNVD Advisory· Published Jan 23, 2007· Updated Apr 23, 2026

CVE-2007-0405

Description

The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
DjangoPyPI	>= 0.95, < 1.0	1.0

Affected products

Djangoproject/Django
cpe:2.3:a:django_project:django:0.95:*:*:*:*:*:*:*

Patches

e89f0a65581f

0.95-bugfixes: Apply fix to LazyUser from [3754]

https://github.com/django/djangoJames BennettJan 20, 2007via ghsa

commit

1 file changed · +3 −6

django/contrib/auth/middleware.py+3 −6 modified

@@ -1,12 +1,9 @@
 class LazyUser(object):
-    def __init__(self):
-        self._user = None
-
     def __get__(self, request, obj_type=None):
-        if self._user is None:
+        if not hasattr(request, '_cached_user'):
             from django.contrib.auth import get_user
-            self._user = get_user(request)
-        return self._user
+            request._cached_user = get_user(request)
+        return request._cached_user
 
 class AuthenticationMiddleware(object):
     def process_request(self, request):

3c5782287e

Fixed #2702 -- Fixed LazyUser to store cache as attribute of request, not class. Thanks for the patch, jkocherhans

https://github.com/django/djangoAdrian HolovatySep 12, 2006via ghsa

commit

1 file changed · +3 −6

django/contrib/auth/middleware.py+3 −6 modified

@@ -1,12 +1,9 @@
 class LazyUser(object):
-    def __init__(self):
-        self._user = None
-
     def __get__(self, request, obj_type=None):
-        if self._user is None:
+        if not hasattr(request, '_cached_user'):
             from django.contrib.auth import get_user
-            self._user = get_user(request)
-        return self._user
+            request._cached_user = get_user(request)
+        return request._cached_user
 
 class AuthenticationMiddleware(object):
     def process_request(self, request):

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

secunia.com/advisories/23826nvdPatchVendor Advisory
github.com/advisories/GHSA-mwv2-398h-v489ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2007-0405ghsaADVISORY
code.djangoproject.com/changeset/3754nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/31628nvdWEB
github.com/django/django/commit/3c5782287eghsaWEB
github.com/django/django/commit/e89f0a65581f82a5740bfe989136cea75d09cd67ghsaWEB
www.securityfocus.com/bid/22138nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000