View all Vulnerabilities

CVE-2026-4277

Authorization Bypass
Affects
Django
in
Django
No items found.
Versions
<=3.2.25, <=4.2.29, <=5.2.13, <=6.0.4
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.

A authorization bypass vulnerability (CVE-2026-4277) has been identified in Django, which allows attackers to create inline model instances through forged POST data submitted to admin interfaces using GenericInlineModelAdmin. This improper validation of add permissions on inline model instances can lead to unauthorized object creation and potential privilege escalation within affected Django applications.

Per OWASP: Broken Access Control refers to vulnerabilities that occur when an application does not properly enforce restrictions on what authenticated users are allowed to do. When authorization checks are improperly validated, attackers can perform actions or access functionality beyond their intended privileges.

Details

Module Info

Vulnerability Info

This Low-severity vulnerability is found in the contrib package in all published versions of Django.

Normally, Django enforces strict permission checks within the admin interface to ensure that users can only create or modify model instances they are explicitly authorized to manage. In particular, inline model administration via GenericInlineModelAdmin is designed to respect add permissions, preventing unauthorized users from creating related objects through inline forms.

However, due to improper validation of add permissions for inline model instances, an attacker can submit crafted POST data to admin views that is accepted as valid input for creating new inline objects. This bypass allows unauthorized object creation despite the intended permission restrictions, potentially leading to privilege escalation within affected applications.

This issue arises from insufficient enforcement of authorization checks during inline form processing in the Django admin, enabling attackers to manipulate request data and perform actions beyond their assigned permissions.

Mitigation

Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Django.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • N05ec@LZU-DSLab (finder)

Pink arrow
Pink arrow
CVE-2026-1287
CVE-2026-1312
CVE-2026-3902
CVE-2026-4277
CVE-2026-4292
CVE-2026-25673
CVE-2026-25674
CVE-2026-33033
CVE-2026-33034
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
ID
CVE-2026-4277
PROJECT Affected
Django
Versions Affected
<=3.2.25, <=4.2.29, <=5.2.13, <=6.0.4
NES Versions Affected
Published date
June 2, 2026
≈ Fix date
April 29, 2026
Fixed in
NES for Django
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Django
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.