CVE-2026-5766
published 2026-05-05CVE-2026-5766: An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.42%
33.9th percentile
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kyle Agronick for reporting this issue.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-24 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-25 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | eda-controller-rhel9 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | aap-cloud-billing-rhel9 | — | — |
| ansible-automation-platform-27 | controller-rhel9 | — | — |
| ansible-automation-platform-27 | eda-controller-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | hub-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | metrics-service-rhel9 | — | — |
| ansible-automation-platform-tech-preview | metrics-service-rhel9 | — | — |
| ansible-automation-platform | automation-dashboard-rhel9 | — | — |
| debian | python-django | — | — |
| discovery | discovery-server-rhel9 | — | — |
| djangoproject | django | >= 5.2 < 5.2.14 | 5.2.14 |
| djangoproject | django | >= 5.2 < 5.2.14 | 5.2.14 |
| djangoproject | django | >= 6.0 < 6.0.5 | 6.0.5 |
| djangoproject | django | >= 6.0 < 6.0.5 | 6.0.5 |
| satellite-capsule_el8 | python-django | — | — |
| satellite | iop-advisor-backend-rhel9 | — | — |
| satellite_el8 | python-django | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.3MEDIUM
vendor_ubuntu2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
django: Django: Service degradation via understated Content-Length header in ASGI requests
vendor_redhat·2026-05-05·CVSS 6.3
CVE-2026-5766 [MEDIUM] CWE-770 django: Django: Service degradation via understated Content-Length header in ASGI requests
django: Django: Service degradation via understated Content-Length header in ASGI requests
A flaw was found in Django. This vulnerability allows a remote attacker to bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit by sending specially crafted ASGI (Asynchronous Server Gateway Interface) requests with a missing or understated Content-Length header. This can lead to large files being loaded into memory, potentially causing service degradation or a Denial of Service (DoS) condition.
Package: ansible-automation-platform-24/lightspeed-rhel8 (Red Hat Ansible Automation Platform 2) - Fix deferred
Package: ansible-automation-platform-25/lightspeed-rhel8 (Red Hat Ansible Automation Platform 2) - Fix deferred
Package: ansible-automation-platform-26/controller-rhel9 (Red Hat Ansible Automation Platf
Ubuntu
Django vulnerabilities
vendor_ubuntu·2026-05-05·CVSS 2.3
CVE-2026-6907 [LOW] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django did not vary cached response headers on
cookies when sessions were not modified while SESSION_SAVE_EVERY_REQUEST
was enabled. A remote attacker could possibly use this issue to steal a
user's session. (CVE-2026-35192)
Kyle Agronick and Jacob Walls discovered that Django incorrectly handled
ASGI requests with missing or understated Content-Length header values.
A remote attacker could possibly use this issue to cause Django to use
excessive resources, leading to a denial of service. (CVE-2026-5766)
Ahmad Sadeddin discovered that Django UpdateCacheMiddleware incorrectly
cached requests where the Vary header contained an asterisk. A remote
attacker could possibly use this iss
GHSA
GHSA-w26r-rmm8-9c29: An issue was discovered in 6
ghsa_unreviewed·2026-05-05
CVE-2026-5766 [MEDIUM] CWE-130 GHSA-w26r-rmm8-9c29: An issue was discovered in 6
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kyle Agronick for reporting this issue.
VulDB
Django up to 5.2.13/6.0.4 length parameter
vuldb·2026-05-05·CVSS 6.3
CVE-2026-5766 [MEDIUM] Django up to 5.2.13/6.0.4 length parameter
A vulnerability classified as problematic has been found in Django up to 5.2.13/6.0.4. The affected element is an unknown function. This manipulation causes improper handling of length parameter inconsistency.
This vulnerability appears as CVE-2026-5766. The attack may be initiated remotely. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
Django has an Improper Handling of Length Parameter Inconsistency
ghsa·2026-05-05
CVE-2026-5766 [MEDIUM] CWE-130 Django has an Improper Handling of Length Parameter Inconsistency
Django has an Improper Handling of Length Parameter Inconsistency
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django thanks Kyle Agronick for reporting this issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-5766 python-django6: Django: Service degradation via understated Content-Length header in ASGI requests [fedora-all]
bugzilla·2026-06-04·CVSS 6.3
CVE-2026-5766 [MEDIUM] CVE-2026-5766 python-django6: Django: Service degradation via understated Content-Length header in ASGI requests [fedora-all]
CVE-2026-5766 python-django6: Django: Service degradation via understated Content-Length header in ASGI requests [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-5766 django: Django: Service degradation via understated Content-Length header in ASGI requests
bugzilla·2026-05-05·CVSS 6.3
CVE-2026-5766 [MEDIUM] CVE-2026-5766 django: Django: Service degradation via understated Content-Length header in ASGI requests
CVE-2026-5766 django: Django: Service degradation via understated Content-Length header in ASGI requests
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kyle Agronick for reporting this issue.
2026-05-05
Published