CVE-2026-4277
Received Received - Intake

Permission Bypass in Django GenericInlineModelAdmin via Forged POST Data

Vulnerability report for CVE-2026-4277, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-07

Last updated on: 2026-04-13

Assigner: Django Software Foundation

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-07
Last Modified
2026-04-13
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
djangoproject django From 4.2 (inc) to 4.2.30 (exc)
djangoproject django From 5.2 (inc) to 5.2.13 (exc)
djangoproject django From 6.0 (inc) to 6.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in certain versions of Django before 6.0.4, 5.2.13, and 4.2.30. It involves a failure to validate add permissions on inline model instances when forged POST data is submitted in the GenericInlineModelAdmin component.

Because of this, an attacker could potentially submit unauthorized data through inline model forms, bypassing permission checks that should normally prevent such actions.

Impact Analysis

The impact of this vulnerability is that unauthorized users might be able to add or modify inline model instances in a Django application by submitting forged POST requests.

This could lead to unauthorized data manipulation, potentially compromising the integrity of the application's data and possibly allowing privilege escalation or other malicious activities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart