CVE-2026-3902
Received Received - Intake
Header Spoofing via ASGIRequest in Django Before

Publication date: 2026-04-07

Last updated on: 2026-04-13

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-13
Generated
2026-05-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3902
EUVD
EUVD-2026-19686
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
djangoproject django From 4.2 (inc) to 4.2.30 (exc)
djangoproject django From 5.2 (inc) to 5.2.13 (exc)
djangoproject django From 6.0 (inc) to 6.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows remote attackers to spoof security-sensitive HTTP headers by exploiting ambiguous mapping of headers with hyphens and underscores in Django's ASGIRequest handling. This spoofing can potentially bypass protections in reverse proxies, which may lead to unauthorized access or manipulation of sensitive data.

Such unauthorized access or manipulation of data could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and access. If exploited, this vulnerability might lead to violations of these regulations due to improper handling or exposure of protected data.

To mitigate this risk and maintain compliance, Django has updated ASGIRequest to ignore headers containing underscores, aligning with the behavior of the ASGI reference server Daphne. Users are encouraged to upgrade to the fixed versions (6.0.4, 5.2.13, and 4.2.30) to prevent exploitation.


Can you explain this vulnerability to me?

CVE-2026-3902 is a low-severity security vulnerability in Django's ASGIRequest handling related to header spoofing via underscore/hyphen conflation.

ASGIRequest normalizes HTTP header names by converting hyphens to underscores following WSGI conventions. This allows an attacker to spoof security-sensitive headers that use hyphens by sending headers with underscores instead.

This spoofing bypasses protections in reverse proxies that strip such headers because ASGI lacks the uniform expectation that servers or proxies prevent ambiguous mappings, unlike WSGI.

To mitigate this, Django now ignores headers containing underscores in ASGIRequest, aligning with the behavior of the ASGI reference server Daphne.


How can this vulnerability impact me? :

This vulnerability allows a remote attacker to spoof security-sensitive HTTP headers by exploiting the ambiguous mapping of headers with hyphens and underscores.

By spoofing headers, an attacker could bypass protections implemented by reverse proxies that normally strip or block such headers, potentially leading to unauthorized access or manipulation of request handling.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves spoofing HTTP headers by exploiting the ambiguous mapping of headers with hyphens and underscores in ASGIRequest. Detection involves monitoring HTTP requests for suspicious headers containing underscores that could be used to bypass protections.

You can inspect incoming HTTP headers on your server or proxy to identify headers with underscores that might be spoofing security-sensitive headers. For example, using command-line tools like tcpdump or tshark to capture HTTP traffic and grep or awk to filter headers with underscores.

  • Use tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443'
  • Filter captured traffic for headers containing underscores: grep -i '_'
  • Alternatively, use tshark to extract HTTP headers: tshark -Y http -T fields -e http.host -e http.request.full_uri -e http.header

Look specifically for headers that should normally contain hyphens but appear with underscores, as these may indicate attempts to exploit the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Django to a fixed version that addresses this vulnerability.

  • Upgrade Django to version 6.0.4 or later if using the 6.0 series.
  • Upgrade Django to version 5.2.13 or later if using the 5.2 series.
  • Upgrade Django to version 4.2.30 or later if using the 4.2 series.

These versions include a fix where Django ignores headers containing underscores in ASGIRequest, preventing header spoofing.

Additionally, ensure that your reverse proxies (e.g., nginx) are configured to reject or strip headers with underscores, as many proxies protect against this by default.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart