SB20260407104 - Multiple vulnerabilities in Django

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260407104

SB20260407104 - Multiple vulnerabilities in Django

Published: April 7, 2026

Security Bulletin ID SB20260407104
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2026-3902)

The vulnerability allows a remote attacker to spoof security-sensitive headers.

The vulnerability exists due to improper input validation in ASGIRequest when processing request headers. A remote attacker can supply a header name with underscores to spoof security-sensitive headers.

This issue affects ASGI deployments where hyphenated and underscored header names may be treated ambiguously.


2) Improper access control (CVE-ID: CVE-2026-4277)

The vulnerability allows a remote user to create inline model instances without proper add permissions.

The vulnerability exists due to improper access control in GenericInlineModelAdmin when processing forged POST data. A remote user can submit forged POST data to create inline model instances without proper add permissions.


3) Improper access control (CVE-ID: CVE-2026-4292)

The vulnerability allows a remote user to create new instances through admin changelist forms.

The vulnerability exists due to improper access control in ModelAdmin.list_editable when processing forged POST data. A remote user can submit forged POST data to create new instances through admin changelist forms.


4) Resource exhaustion (CVE-ID: CVE-2026-33033)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in django.http.multipartparser.MultiPartParser when processing multipart uploads with base64-encoded files containing excessive whitespace. A remote attacker can send a specially crafted multipart upload to cause a denial of service.

The issue may trigger repeated memory copying and degrade performance.


5) Improper input validation (CVE-ID: CVE-2026-33034)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ASGI request handling when reading HttpRequest.body from requests with a missing or understated Content-Length header. A remote attacker can send a specially crafted request to cause a denial of service.

The issue can bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit and load an unbounded request body into memory.


Remediation

Install update from vendor's website.

References