CVE-2026-33034
Severity
7.5HIGH
EPSS
0.0%
top 90.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 7
Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
`HttpRequest.body`, allowing remote attackers to load an unbounded request body into
memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
🔴Vulnerability Details
6OSV▶
CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass↗2026-04-07
GHSA▶
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit↗2026-04-07
OSV▶
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit↗2026-04-07
CVEList▶
Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass↗2026-04-07
📋Vendor Advisories
3🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-33034 Django: Django: Denial of Service via missing or understated Content-Length header in ASGI requests↗2026-04-07