Django Security Advisory: 5 Vulnerabilities (ASGI Spoofing, Privilege Abuse, DoS)

Vulnerability Overview This security advisory covers five security vulnerabilities affecting different components of Django: 1. CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation Description: The normalizes header names by converting hyphens to underscores. Under ASGI configuration, attackers may exploit this mechanism to perform header spoofing. Severity: Low 2. CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin Description: In , permissions for inline model instances are not validated, allowing operations via forged POST data. Severity: Low 3. CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable Description: The form incorrectly allows the creation of new instances via forged POST data. Severity: Low 4. CVE-2026-33033: Potential denial-of-service vulnerability in MultipartParser via base64-encoded file upload Description: When processes file uploads with containing excessive whitespace, it may cause repeated memory copying, leading to a denial-of-service (DoS) condition. Severity: Moderate 5. CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass Description: ASGI requests lacking or underestimating the header may bypass the limit, causing the request body to be loaded into memory and resulting in service degradation. Severity: Low Affected Versions The following Django versions are affected by the vulnerabilities listed above: Django main (development version) Django 6.0 Django 5.2 Django 4.2 Remediation Patches have been applied to the , , , and branches of Django. Released Fixed Versions: Django 6.0.4 Django 5.2.13 Django 4.2.30 Branch Fix Details: CVE-2026-3902: Fixed in , , , and branches. CVE-2026-4277: Fixed in , , , and branches. CVE-2026-4292: Fixed in , , , and branches. CVE-2026-33033: Fixed in , , , and branches. CVE-2026-33034: Fixed in , , , and branches. Note: Specific POCs or exploit code are not included in this advisory.

Goal Reached Thanks to every supporter — we hit 100%!

Django Security Advisory: 5 Vulnerabilities (ASGI Spoofing, Privilege Abuse, DoS)