CVE-2026-1312
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.
A SQL injection vulnerability (CVE-2026-1312) has been identified in Django, where QuerySet.order_by() could be exploited through column aliases containing periods when combined with a suitably crafted dictionary expansion in FilteredRelation. This improper validation of user-controlled query construction input may allow attackers to inject malicious SQL into generated database queries, potentially resulting in unauthorized data access, modification of database contents, or execution of unintended database operations within affected Django applications.
Per OWASP: SQL Injection vulnerabilities occur when an application improperly incorporates untrusted input into database queries, allowing attackers to alter the structure or behavior of SQL statements. By injecting specially crafted input into query parameters, attackers may be able to access unauthorized data, modify database contents, execute administrative operations, or bypass application security controls.
Details
Module Info
- Product: Django
- Affected packages: django
- Affected versions: <=3.2.25, <=4.2.27, <=5.2.10, <=6.0.1
- GitHub repository: https://github.com/django/django
- Published packages: https://pypi.org/project/Django/
- Package manager: pip
- Fixed in: Django NES v3.2.27 and v4.2.31
Vulnerability Info
This High-severity vulnerability is found in the db package in all published versions of Django.
Normally, Django’s ORM is designed to safely construct SQL queries by validating and escaping query parameters before incorporating them into database operations. In particular, query-building features such as QuerySet.order_by() and FilteredRelation are intended to safely process column aliases and dynamically generated query components without allowing user-controlled input to alter the structure of generated SQL statements.
However, due to improper sanitization of column aliases containing periods when used with crafted dictionary expansion in FilteredRelation, an attacker can supply specially crafted input that is interpreted as part of the underlying SQL query. This behavior may allow attackers to manipulate database queries through SQL injection, potentially resulting in unauthorized data access, modification of database contents, or execution of unintended database operations within affected Django applications.
This issue arises from insufficient validation of user-controlled alias values during SQL query generation in Django’s ORM, enabling attackers to inject malicious SQL through specially crafted QuerySet.order_by() and FilteredRelation parameters.
Mitigation
Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Django.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Solomon Kebede (finder)
