CVE-2026-4292
Unauthorized Instance Creation via Forged POST in Django Admin
Publication date: 2026-04-07
Last updated on: 2026-04-13
Assigner: Django Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| djangoproject | django | From 4.2 (inc) to 4.2.30 (exc) |
| djangoproject | django | From 5.2 (inc) to 5.2.13 (exc) |
| djangoproject | django | From 6.0 (inc) to 6.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Django before 6.0.4, 5.2.13, and 4.2.30. It involves the admin changelist forms that use the `ModelAdmin.list_editable` feature. Due to improper handling, these forms incorrectly allowed attackers to create new instances by submitting forged POST data.
Earlier unsupported Django versions such as 5.0.x, 4.1.x, and 3.2.x may also be affected, although they were not officially evaluated.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to create unauthorized new instances in the Django admin interface by exploiting the list_editable feature with forged POST requests. This could lead to unauthorized data creation, potentially compromising the integrity of the application's data.