CVE-2026-4277 - Vulnerability Details - OpenCVE

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

History

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Title		Privilege abuse in GenericInlineModelAdmin
Weaknesses		CWE-862
References		https://docs.djangoproject.com/en/dev/releases/security/ https://groups.google.com/g/django-announce https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

MITRE

Status: PUBLISHED

Assigner: DSF

Published: 2026-04-07T14:22:25.547Z

Updated: 2026-04-07T14:22:25.547Z

Reserved: 2026-03-16T15:26:08.125Z

Link: CVE-2026-4277

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-07T15:17:46.500

Modified: 2026-04-07T15:17:46.500

Link: CVE-2026-4277

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4277", "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "state": "PUBLISHED", "assignerShortName": "DSF", "dateReserved": "2026-03-16T15:26:08.125Z", "datePublished": "2026-04-07T14:22:25.547Z", "dateUpdated": "2026-04-07T14:22:25.547Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "shortName": "DSF", "dateUpdated": "2026-04-07T14:22:25.547Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122: Privilege Abuse"}]}], "title": "Privilege abuse in GenericInlineModelAdmin", "metrics": [{"other": {"content": {"value": "low", "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels"}, "type": "Django severity rating"}}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdd permissions on inline model instances were not validated on submission of\r\nforged `POST` data in `GenericInlineModelAdmin`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank N05ec@LZU-DSLab for reporting this issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.</p><p>Add permissions on inline model instances were not validated on submission of</p><p>forged `POST` data in `GenericInlineModelAdmin`.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank N05ec@LZU-DSLab for reporting this issue.</p>"}]}], "affected": [{"collectionURL": "https://pypi.org/project/Django/", "defaultStatus": "unaffected", "packageName": "django", "product": "Django", "repo": "https://github.com/django/django/", "vendor": "djangoproject", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.0.4", "versionType": "semver"}, {"status": "unaffected", "version": "6.0.4", "versionType": "semver"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.2.13", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.30", "versionType": "semver"}, {"status": "unaffected", "version": "4.2.30", "versionType": "semver"}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "name": "Django security archive", "tags": ["vendor-advisory"]}, {"url": "https://groups.google.com/g/django-announce", "name": "Django releases announcements", "tags": ["mailing-list"]}, {"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/", "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "type": "reporter", "value": "N05ec@LZU-DSLab"}, {"lang": "en", "type": "remediation developer", "value": "Jacob Walls"}, {"lang": "en", "type": "coordinator", "value": "Jacob Walls"}], "timeline": [{"lang": "en", "time": "2026-03-07T12:00:00.000Z", "value": "Initial report received."}, {"lang": "en", "time": "2026-03-16T12:00:00.000Z", "value": "Vulnerability confirmed."}, {"lang": "en", "time": "2026-04-07T09:00:00.000Z", "value": "Security release issued."}], "datePublic": "2026-04-07T09:00:00.000Z", "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}