Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN361
_____________________________________________________________________

DATE                : 08/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Django versions prior to 6.0.4,
                                  5.2.13, 4.2.30.

=====================================================================
https://www.djangoproject.com/weblog/2026/apr/07/security-releases/
_____________________________________________________________________

Django security releases issued: 6.0.4, 5.2.13, and 4.2.30
Posted by Jacob Walls on 7 avril 2026

In accordance with our security release policy, the Django team is
issuing releases for Django 6.0.4, Django 5.2.13, and Django 4.2.30.
These releases address the security issues detailed below. We
encourage all users of Django to upgrade as soon as possible.
Django 4.2 has reached the end of extended support

Note that with this release, Django 4.2 has reached the end of extended
support. All Django 4.2 users are encouraged to upgrade to Django 5.2
or later to continue receiving fixes for security issues.

See the downloads page for a table of supported versions and the future
release schedule.


CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation

ASGIRequest normalizes header names following WSGI conventions, mapping
hyphens to underscores. As a result, even in configurations where reverse
proxies carefully strip security-sensitive headers named with hyphens,
such a header could be spoofed by supplying a header named with
underscores.

Under WSGI, it is the responsibility of the server or proxy to avoid
ambiguous mappings. (Django's runserver was patched in CVE-2015-0219.)
But under ASGI, there is not the same uniform expectation, even if many
proxies protect against this under default configuration (including
nginx via underscores_in_headers off;).

Headers containing underscores are now ignored by ASGIRequest, matching
the behavior of Daphne, the reference server for ASGI.

This issue has severity "low" according to the Django Security Policy.

Thanks to Tarek Nakkouch for the report.


CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin

Add permissions on inline model instances were not validated on
submission of forged POST data in GenericInlineModelAdmin.

This issue has severity "low" according to the Django Security Policy.

Thanks to N05ec@LZU-DSLab for the report.
CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable

Admin changelist forms using ModelAdmin.list_editable incorrectly allowed
new instances to be created via forged POST data.

This issue has severity "low" according to the Django Security Policy.
CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload

When using django.http.multipartparser.MultiPartParser, multipart uploads
with Content-Transfer-Encoding: base64 that include excessive whitespace
may trigger repeated memory copying, potentially degrading performance.

This issue has severity "moderate" according to the Django Security Policy.

Thanks to Seokchan Yoon for the report.


CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests
via memory upload limit bypass

ASGI requests with a missing or understated Content-Length header could
bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body,
potentially loading an unbounded request body into memory and causing
service degradation.

This issue has severity "low" according to the Django Security Policy.

Thanks to Superior for the report.


Affected supported versions

    Django main
    Django 6.0
    Django 5.2
    Django 4.2


Resolution

Patches to resolve the issue have been applied to Django's main, 6.0,
5.2, and 4.2 branches. The patches may be obtained from the following
changesets.


CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation

    On the main branch
    On the 6.0 branch
    On the 5.2 branch
    On the 4.2 branch

CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin

    On the main branch
    On the 6.0 branch
    On the 5.2 branch
    On the 4.2 branch

CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable

    On the main branch
    On the 6.0 branch
    On the 5.2 branch
    On the 4.2 branch

CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser
via base64-encoded file upload

    On the main branch
    On the 6.0 branch
    On the 5.2 branch
    On the 4.2 branch

CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests
via memory upload limit bypass

    On the main branch
    On the 6.0 branch
    On the 5.2 branch
    On the 4.2 branch

The following releases have been issued

    Django 6.0.4 (download Django 6.0.4 | 6.0.4 checksums)
    Django 5.2.13 (download Django 5.2.13 | 5.2.13 checksums)
    Django 4.2.30 (download Django 4.2.30 | 4.2.30 checksums)

The PGP key ID used for this release is Jacob Walls: 131403F4D16D8DC7


General notes regarding security reporting

As always, we ask that potential security issues be reported via private email
to security@djangoproject.com, and not via Django's Trac instance, nor via the
Django Forum. Please see our security policies for further information.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================