CVE-2026-3902Authentication Bypass by Spoofing in Django

CWE-290Authentication Bypass by SpoofingCWE-444HTTP Request Smuggling11 documents9 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 85.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedApr 7

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5djangoproject/django6.06.0.4+2
NVDdjangoproject/django4.24.2.30+2
PyPIdjangoproject/django6.06.0.4+2

Patches

Patch: docs.djangoproject.comPatch: www.djangoproject.com

🔴Vulnerability Details

5
CVEList
ASGI header spoofing via underscore/hyphen conflation2026-04-07
OSV
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation2026-04-07
GHSA
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation2026-04-07
OSV
CVE-2026-3902: An issue was discovered in 62026-04-07
OSV
CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation2026-04-07

📋Vendor Advisories

3
Ubuntu
Django vulnerabilities2026-04-07
Red Hat
Django: Django: Header spoofing via ambiguous header mapping2026-04-07
Debian
CVE-2026-3902: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-3902 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-3902 Django: Django: Header spoofing via ambiguous header mapping2026-04-07
CVE-2026-3902 — Authentication Bypass by Spoofing | cvebase