CVE-2026-4292: CWE-862: Missing Authorization in djangoproject Django
CVE-2026-4292 is a low-severity vulnerability in Django versions prior to 6. 0. 4, 5. 2. 13, and 4. 2. 30. It involves missing authorization checks in admin changelist forms that use ModelAdmin. list_editable, allowing creation of new instances via forged POST data. Earlier unsupported Django versions may also be affected.
AI Analysis
Technical Summary
This vulnerability affects Django web framework versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. The issue arises because admin changelist forms that use the ModelAdmin.list_editable feature do not properly enforce authorization, permitting attackers with certain privileges to create new model instances by submitting forged POST requests. Unsupported earlier versions such as 5.0.x, 4.1.x, and 3.2.x were not evaluated but may also be vulnerable. The flaw is categorized under CWE-862, indicating missing authorization controls. The CVSS score is 2.7 (low severity), reflecting limited impact and requiring high privileges to exploit.
Potential Impact
The vulnerability allows an attacker with administrative privileges to create new model instances through unauthorized POST requests in the Django admin interface. There is no impact on confidentiality or availability, and the integrity impact is limited to unauthorized creation of data entries. No known exploits are reported in the wild, and the overall severity is low.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided in the available data. Users should monitor the official Django project advisories for updates and apply patches once released. Until then, review and restrict administrative access to trusted users only and consider disabling the use of ModelAdmin.list_editable in admin changelist forms if feasible.
CVE-2026-4292: CWE-862: Missing Authorization in djangoproject Django
Description
CVE-2026-4292 is a low-severity vulnerability in Django versions prior to 6. 0. 4, 5. 2. 13, and 4. 2. 30. It involves missing authorization checks in admin changelist forms that use ModelAdmin. list_editable, allowing creation of new instances via forged POST data. Earlier unsupported Django versions may also be affected.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Django web framework versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. The issue arises because admin changelist forms that use the ModelAdmin.list_editable feature do not properly enforce authorization, permitting attackers with certain privileges to create new model instances by submitting forged POST requests. Unsupported earlier versions such as 5.0.x, 4.1.x, and 3.2.x were not evaluated but may also be vulnerable. The flaw is categorized under CWE-862, indicating missing authorization controls. The CVSS score is 2.7 (low severity), reflecting limited impact and requiring high privileges to exploit.
Potential Impact
The vulnerability allows an attacker with administrative privileges to create new model instances through unauthorized POST requests in the Django admin interface. There is no impact on confidentiality or availability, and the integrity impact is limited to unauthorized creation of data entries. No known exploits are reported in the wild, and the overall severity is low.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided in the available data. Users should monitor the official Django project advisories for updates and apply patches once released. Until then, review and restrict administrative access to trusted users only and consider disabling the use of ModelAdmin.list_editable in admin changelist forms if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- DSF
- Date Reserved
- 2026-03-16T16:58:02.592Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d51c3eaaed68159a2c162f
Added to database: 4/7/2026, 3:01:18 PM
Last enriched: 4/14/2026, 4:01:04 PM
Last updated: 5/23/2026, 9:59:54 PM
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.