CVE-2026-5766: CWE-130: Improper Handling of Length Parameter Inconsistency in djangoproject Django
CVE-2026-5766 is a vulnerability in Django versions 6.0 before 6.0.5 and 5.2 before 5.2.14 where ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit. This can lead to large files being loaded into memory, potentially causing service degradation. The issue affects the handling of length parameters in file uploads. Django recommends configuring upload size limits at the web server level.
AI Analysis
Technical Summary
This vulnerability arises from improper handling of the Content-Length header in ASGI requests in Django versions 6.0 (before 6.0.5) and 5.2 (before 5.2.14). When the Content-Length header is missing or understated, the FILE_UPLOAD_MAX_MEMORY_SIZE limit can be bypassed, allowing large files to be loaded into memory. This can degrade service performance. The issue is related to CWE-130 (Improper Handling of Length Parameter Inconsistency). Django advises that upload size limits should be enforced at the web server level rather than relying solely on Django's FILE_UPLOAD_MAX_MEMORY_SIZE setting. Earlier unsupported versions may also be affected but were not evaluated. No known exploits are reported in the wild.
Potential Impact
The vulnerability can cause denial of service conditions due to excessive memory consumption when large files bypass the configured upload size limit. There is no impact on confidentiality or integrity reported. The primary impact is availability degradation of the Django-hosted service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Meanwhile, it is recommended to enforce upload size limits at the web server or reverse proxy level as per Django's guidance. Monitoring for updates from the Django project is advised to apply official fixes once available.
CVE-2026-5766: CWE-130: Improper Handling of Length Parameter Inconsistency in djangoproject Django
Description
CVE-2026-5766 is a vulnerability in Django versions 6.0 before 6.0.5 and 5.2 before 5.2.14 where ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit. This can lead to large files being loaded into memory, potentially causing service degradation. The issue affects the handling of length parameters in file uploads. Django recommends configuring upload size limits at the web server level.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from improper handling of the Content-Length header in ASGI requests in Django versions 6.0 (before 6.0.5) and 5.2 (before 5.2.14). When the Content-Length header is missing or understated, the FILE_UPLOAD_MAX_MEMORY_SIZE limit can be bypassed, allowing large files to be loaded into memory. This can degrade service performance. The issue is related to CWE-130 (Improper Handling of Length Parameter Inconsistency). Django advises that upload size limits should be enforced at the web server level rather than relying solely on Django's FILE_UPLOAD_MAX_MEMORY_SIZE setting. Earlier unsupported versions may also be affected but were not evaluated. No known exploits are reported in the wild.
Potential Impact
The vulnerability can cause denial of service conditions due to excessive memory consumption when large files bypass the configured upload size limit. There is no impact on confidentiality or integrity reported. The primary impact is availability degradation of the Django-hosted service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Meanwhile, it is recommended to enforce upload size limits at the web server or reverse proxy level as per Django's guidance. Monitoring for updates from the Django project is advised to apply official fixes once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- DSF
- Date Reserved
- 2026-04-07T19:29:07.042Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa1920cbff5d86100ff72c
Added to database: 5/5/2026, 4:21:52 PM
Last enriched: 5/13/2026, 3:48:11 AM
Last updated: 6/20/2026, 5:49:32 AM
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.