CVE-2026-4277 — Missing Authorization in Django

CWE-862 — Missing Authorization CWE-639 — Authorization Bypass Through User-Controlled Key11 documents9 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 82.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedApr 7

Latest updateApr 9

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5djangoproject/django6.0 — 6.0.4+2

▶NVDdjangoproject/django4.2 — 4.2.30+2

▶PyPIdjangoproject/django6.0 — 6.0.4+2

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

CVE-2026-4277: An issue was discovered in 6↗2026-04-07

▶

GHSA

Django vulnerable to privilege abuse in GenericInlineModelAdmin↗2026-04-07

▶

OSV

Django vulnerable to privilege abuse in GenericInlineModelAdmin↗2026-04-07

▶

CVEList

Privilege abuse in GenericInlineModelAdmin↗2026-04-07

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2026-04-09

▶

Ubuntu

Django vulnerabilities↗2026-04-07

▶

Red Hat

Django: Django: Privilege Abuse via Forged POST Data in GenericInlineModelAdmin↗2026-04-07

▶

Debian

CVE-2026-4277: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4277 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-4277 Django: Django: Privilege Abuse via Forged POST Data in GenericInlineModelAdmin↗2026-04-07

▶