CVE-2026-4292

CWE-862Missing AuthorizationCWE-47211 documents9 sources
Severity
2.7LOW
EPSS
0.0%
top 98.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedApr 7
Latest updateApr 9

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages3 packages

PyPIDjango6.06.0.4+2
PyPIdjango6.06.0.4+2
CVEListV5djangoproject/django6.06.0.4+2

🔴Vulnerability Details

4
OSV
Django vulnerable to privilege abuse in ModelAdmin.list_editable2026-04-07
GHSA
Django vulnerable to privilege abuse in ModelAdmin.list_editable2026-04-07
OSV
CVE-2026-4292: An issue was discovered in 62026-04-07
CVEList
Privilege abuse in ModelAdmin.list_editable2026-04-07

📋Vendor Advisories

4
Ubuntu
Django vulnerabilities2026-04-09
Ubuntu
Django vulnerabilities2026-04-07
Red Hat
Django: Django: Unauthorized instance creation via forged POST data in Admin changelist forms2026-04-07
Debian
CVE-2026-4292: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-4292 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-4292 Django: Django: Unauthorized instance creation via forged POST data in Admin changelist forms2026-04-07