Content: Blog

Release

django CMS 5.0.8 released: a security update everyone should install

Fabian Braun

Fabian Braun

June 10, 2026

We're happy to announce the release of django CMS 5.0.8. This is primarily a security release, and we strongly recommend that all users upgrade as soon as possible.

Please upgrade: Some security issues fixed

This release addresses two security vulnerabilities. If you run django CMS in production, treat this upgrade as a priority.

Missing authorization on structure, move and clipboard endpoints (#8644)

The placeholder structure, plugin move, and clipboard endpoints did not consistently enforce permission checks. In practice, this meant a user without the required permissions could potentially read or manipulate plugins on a page. django CMS 5.0.8 now enforces authorization on all three endpoints.

Plugin-declared Vary headers ignored in the page cache key (#8646)

The page cache key previously did not honour Vary headers declared by plugins. As a result, a cached response could be served to a request that should have received a different, varied response — for example, content that varies by cookie or by other request headers. Plugin-declared Vary headers are now included in the cache key, so varied content is cached and served correctly.

A big thank you to the security researchers who responsibly disclosed these issues: @mauriceng98, @lzhou1110, @Zyy0530, @Str1ckl4nd, and @7thParkk.

A reminder on reporting security issues. Please send all security reports, patches, and concerns to our security team by email at [email protected]. Do not report security issues on the public issue tracker or any mailing list. See our security policy for details.

What's new: read-only slugs for shared URLs

Before this release, editing a page in the admin could silently change the URL of a published version when both versions shared the same slug or overwrite URL (#8640). That's an easy way to break a live URL without meaning to.

To prevent this, the slug and overwrite URL fields are now rendered read-only whenever a page content's URL is shared with a published version. The fields display explanatory help text describing how to make them editable again, and locked URLs are no longer updated on save even if different slug data is posted (#8654).

Other bug fixes

This release also rolls up several fixes reported and contributed by the community, including:

  • Template-specific CMS_PLACEHOLDER_CONF keys were ignored when rendering page placeholders (#8652).
  • A missing redirect_url in CMSNavigationNode.attr (#8625).
  • GrouperModelAdmin shadowed the prepopulated_fields class attribute (#8636).
  • Delete and edit-title views now return a proper 404 instead of a 500 for missing objects.
  • Internal fixes to the release and Transifex upload scripts.

Django and Python compatibility

django CMS supports Django 4.2, 5.0, 5.1, 5.2, and 6.0, and Python 3.10, 3.11, 3.12, and 3.13. As always, we strongly recommend running the latest release in each series.

How to upgrade

Update your project's requirements.txt to require at least django CMS 5.0.8 and install it:

pip install -r requirements.txt

Then run your migrations:

python -m manage migrate

If you're upgrading from an earlier version, please read the release notes for every version between your current one and 5.0.8 to check for any special instructions.

Happy upgrading! 🚀

Do you want to test django CMS?

Try django CMS

django CMS Association

The association behind django CMS
Email [email protected]

Subscribe to Newsletter

 

Community
Blog
Events
Security
Our Supporters
Developers
Documentation
Roadmap
Repository
Issue tracker
Follow us

icon-github.png   icon-linkedin-32.png
Mastodon
Youtube
Join our Discord Community

Copyright © 2001 - 2026 Divio AG. BSD Open-Source License.

Django CMS is based on Python and Django

A project backed by the django CMS Association