CVE-2026-4277
Received Received - Intake
Permission Bypass in Django GenericInlineModelAdmin via Forged POST Data

Publication date: 2026-04-07

Last updated on: 2026-04-13

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4277
EUVD
EUVD-2026-19687
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
djangoproject django From 4.2 (inc) to 4.2.30 (exc)
djangoproject django From 5.2 (inc) to 5.2.13 (exc)
djangoproject django From 6.0 (inc) to 6.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in certain versions of Django before 6.0.4, 5.2.13, and 4.2.30. It involves a failure to validate add permissions on inline model instances when forged POST data is submitted in the GenericInlineModelAdmin component.

Because of this, an attacker could potentially submit unauthorized data through inline model forms, bypassing permission checks that should normally prevent such actions.

Impact Analysis

The impact of this vulnerability is that unauthorized users might be able to add or modify inline model instances in a Django application by submitting forged POST requests.

This could lead to unauthorized data manipulation, potentially compromising the integrity of the application's data and possibly allowing privilege escalation or other malicious activities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart