CVE-2026-33034
published 2026-04-07CVE-2026-33034: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.77%
50.9th percentile
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
`HttpRequest.body`, allowing remote attackers to load an unbounded request body into
memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:4.2.30-1 (sid) | python-django 3:4.2.30-1 (sid) |
| djangoproject | django | >= 4.2 < 4.2.30 | 4.2.30 |
| djangoproject | django | >= 4.2 < 4.2.30 | 4.2.30 |
| djangoproject | django | >= 5.2 < 5.2.13 | 5.2.13 |
| djangoproject | django | >= 5.2 < 5.2.13 | 5.2.13 |
| djangoproject | django | >= 6.0 < 6.0.4 | 6.0.4 |
| djangoproject | django | >= 6.0 < 6.0.4 | 6.0.4 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
osv·2026-04-07·CVSS 7.5
CVE-2026-33034 [HIGH] CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
GHSA
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
ghsa·2026-04-07
CVE-2026-33034 [HIGH] CWE-770 Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.
OSV
CVE-2026-33034: An issue was discovered in 6
osv·2026-04-07·CVSS 7.5
CVE-2026-33034 [HIGH] CVE-2026-33034: An issue was discovered in 6
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.
OSV
python-django vulnerabilities
osv·2026-04-07·CVSS 6.5
CVE-2026-33033 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
Seokchan Yoon discovered that Django incorrectly handled copying memory
when parsing multipart uploads with excessive whitespace. A remote attacker
could possibly use this issue to cause Django to use excessive resources,
leading to a denial of service. (CVE-2026-33033)
It was discovered that Django did not enforce an upload memory size limit
in the Content-Length header. A remote attacker could possibly use this
issue to cause Django to use excessive resources, leading to a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2026-33034)
Tarek Nakkouch discovered that Django incorrectly handled underscores in
the ASGI headers. A remote attacker could possibly use this issue to spoof
HTTP headers. This issue only affected Ubun
OSV
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
osv·2026-04-07
CVE-2026-33034 [HIGH] Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2026-04-09·CVSS 6.5
CVE-2026-33033 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
USN-8154-1 fixed vulnerabilities in Django. This update provides the
corresponding updates for Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
Original advisory details:
Seokchan Yoon discovered that Django incorrectly handled copying memory
when parsing multipart uploads with excessive whitespace. A remote
attacker could possibly use this issue to cause Django to use excessive
resources, leading to a denial of service. (CVE-2026-33033)
It was discovered that Django did not enforce an upload memory size limit
in the Content-Length header. A remote attacker could possibly use this
issue to cause Django to use excessive resources, leading to a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubun
Ubuntu
Django vulnerabilities
vendor_ubuntu·2026-04-07·CVSS 6.5
CVE-2026-33033 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Seokchan Yoon discovered that Django incorrectly handled copying memory
when parsing multipart uploads with excessive whitespace. A remote attacker
could possibly use this issue to cause Django to use excessive resources,
leading to a denial of service. (CVE-2026-33033)
It was discovered that Django did not enforce an upload memory size limit
in the Content-Length header. A remote attacker could possibly use this
issue to cause Django to use excessive resources, leading to a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2026-33034)
Tarek Nakkouch discovered that Django incorrectly handled underscores in
the ASGI headers. A remote attacker could possibly use this is
Red Hat
Django: Django: Denial of Service via missing or understated Content-Length header in ASGI requests
vendor_redhat·2026-04-07·CVSS 7.5
CVE-2026-33034 [HIGH] CWE-130 Django: Django: Denial of Service via missing or understated Content-Length header in ASGI requests
Django: Django: Denial of Service via missing or understated Content-Length header in ASGI requests
A flaw was found in Django. A remote attacker can exploit this vulnerability by sending ASGI (Asynchronous Server Gateway Interface) requests with a missing or understated `Content-Length` header. This allows the attacker to bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit, leading to an unbounded request body being loaded into memory. This can result in a Denial of Service (DoS) condition, making the application unavailable to legitimate users.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Pac
Debian
CVE-2026-33034: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...
vendor_debian·2026·CVSS 7.5
CVE-2026-33034 [HIGH] CVE-2026-33034: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: resolved (fixed in 3:4.2.30-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33034 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33034 [MEDIUM] CVE-2026-33034 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33034 :
Django vulnerability analysis and mitigation
Content-Length
DATA_UPLOAD_MAX_MEMORY_SIZE
HttpRequest.body
Source : NVD
## 7.5
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
authentik-2026.2
authentik-fips-2025.12
Sources
NVD
Alpine 3.23, edge Severity HIGH Has Fix Added at: Apr 09, 2026
Chainguard Has Fix Added at: Apr 10, 2026
Debian 11 Severity HIGH No Fix Added at: Apr 09, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 09, 2026
Debian 14 Severity HIGH Has Fix Added at: Apr
Wiz
CVE-2026-4277 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-4277 [MEDIUM] CVE-2026-4277 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4277 :
Django vulnerability analysis and mitigation
POST
GenericInlineModelAdmin
Source : NVD
## 9.8
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
authentik-2025.12
authentik-2026.2
Sources
NVD
Alpine 3.23, edge Severity CRITICAL Has Fix Added at: Apr 09, 2026
Chainguard Has Fix Added at: Apr 10, 2026
Debian 11 Severity CRITICAL No Fix Added at: Apr 09, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 09, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Apr 09, 2026
Echo Severity
Wiz
CVE-2026-33033 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33033 [MEDIUM] CVE-2026-33033 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33033 :
Django vulnerability analysis and mitigation
MultiPartParser
Content-Transfer-Encoding: base64
Source : NVD
## 6.5
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
django
authentik-2025.12
Sources
NVD
Alpine 3.23, edge Severity MEDIUM Has Fix Added at: Apr 09, 2026
Chainguard Has Fix Added at: Apr 10, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Apr 09, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Apr 09, 2026
Echo Severity MEDIUM No Fix Added at: Apr 09, 2026
pip Seve
Wiz
CVE-2026-3902 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-3902 [MEDIUM] CVE-2026-3902 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3902 :
Django vulnerability analysis and mitigation
ASGIRequest
Source : NVD
## 7.5
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
authentik-2025.12
authentik-2026.2
Sources
NVD
Alpine 3.23, edge Severity HIGH Has Fix Added at: Apr 09, 2026
Chainguard Has Fix Added at: Apr 10, 2026
Debian 11 Severity HIGH No Fix Added at: Apr 09, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 09, 2026
Debian 14 Severity HIGH Has Fix Added at: Apr 09, 2026
Echo Severity HIGH No Fix Added at: Apr 09, 2
Wiz
CVE-2026-4292 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-4292 [MEDIUM] CVE-2026-4292 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4292 :
Django vulnerability analysis and mitigation
ModelAdmin.list_editable
POST
Source : NVD
## 2.7
Score
Published April 7, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Django
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python-django
django
Sources
NVD
Alpine 3.23, edge Severity LOW Has Fix Added at: Apr 09, 2026
Chainguard Has Fix Added at: Apr 10, 2026
Debian 11 Severity LOW No Fix Added at: Apr 09, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Apr 09, 2026
Debian 14 Severity LOW Has Fix Added at: Apr 09, 2026
Echo Severity LOW No Fix Added at: Apr 09, 20
Bugzilla
CVE-2026-33034 Django: Django: Denial of Service via missing or understated Content-Length header in ASGI requests
bugzilla·2026-04-07·CVSS 7.5
CVE-2026-33034 [HIGH] CVE-2026-33034 Django: Django: Denial of Service via missing or understated Content-Length header in ASGI requests
CVE-2026-33034 Django: Django: Denial of Service via missing or understated Content-Length header in ASGI requests
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
`HttpRequest.body`, allowing remote attackers to load an unbounded request body into
memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.
2026-04-07
Published