View all Vulnerabilities

CVE-2026-4292

Authorization Bypass
Affects
Django
in
Django
No items found.
Versions
<=3.2.25, <=4.2.29, <=5.2.13, <=6.0.4
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.

An authorization bypass vulnerability (CVE-2026-4292) has been identified in Django, which allows attackers to create new model instances through forged POST data submitted to admin changelist forms using ModelAdmin.list_editable. This improper handling of editable admin forms can lead to unauthorized object creation and potential privilege abuse within affected Django applications.

Per OWASP: Broken Access Control refers to vulnerabilities that occur when an application does not properly enforce restrictions on what authenticated users are allowed to do. When authorization checks are improperly validated, attackers can perform actions or access functionality beyond their intended privileges.

Details

Module Info

Vulnerability Info

This Low-severity vulnerability is found in the contrib package in all published versions of Django.

Normally, the Django admin enforces strict controls over how model instances can be created and modified, ensuring that only explicitly permitted actions are processed through validated forms. In particular, the ModelAdmin.list_editable feature is intended to allow bulk editing of existing objects directly from the changelist view, without permitting the creation of new objects.

However, due to improper handling of crafted POST requests, an attacker can submit forged form data to the admin changelist view that is interpreted as valid input for creating new model instances. This bypasses the intended restriction that list_editable should only modify existing records, effectively allowing unauthorized object creation and potential privilege abuse within the admin interface .

This issue arises from insufficient validation of incoming form data in the admin changelist workflow, enabling attackers with access to the admin interface to manipulate request parameters and perform unintended actions beyond their authorized permissions .

Mitigation

Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Django.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Cantina (finder)

Pink arrow
Pink arrow
CVE-2026-1287
CVE-2026-1312
CVE-2026-3902
CVE-2026-4277
CVE-2026-4292
CVE-2026-25673
CVE-2026-25674
CVE-2026-33033
CVE-2026-33034
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-4292
PROJECT Affected
Django
Versions Affected
<=3.2.25, <=4.2.29, <=5.2.13, <=6.0.4
NES Versions Affected
Published date
June 2, 2026
≈ Fix date
April 29, 2026
Fixed in
NES for Django
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Django
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.