CVE-2026-5766
Analyzed Analyzed - Analysis Complete
Memory Exhaustion via ASGI Content-Length Bypass in Django

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5766
EUVD
EUVD-2026-27381
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
djangoproject django From 5.2 (inc) to 5.2.14 (exc)
djangoproject django From 6.0 (inc) to 6.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can allow attackers or users to upload large files that exceed the intended memory limits, leading to excessive memory consumption.

This can cause service degradation, potentially slowing down or crashing the application or server due to resource exhaustion.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to configure file upload size limits at the web server level rather than relying solely on Django's FILE_UPLOAD_MAX_MEMORY_SIZE setting.

Ensure that your Django version is updated to 6.0.5 or later, or 5.2.14 or later, as these versions address the issue.

Executive Summary

This vulnerability occurs in Django versions 6.0 before 6.0.5 and 5.2 before 5.2.14. It involves ASGI requests that have a missing or understated Content-Length header, which can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit.

Because of this bypass, large files can be loaded into memory without restriction, potentially causing service degradation.

Django recommends configuring upload size limits at the web server level rather than relying solely on the FILE_UPLOAD_MAX_MEMORY_SIZE setting.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart