CVE-2026-5766
Undergoing Analysis Undergoing Analysis - In Progress
Memory Exhaustion via ASGI Content-Length Bypass in Django

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-05-05
EPSS Evaluated
N/A
NVD
CVE-2026-5766
EUVD
EUVD-2026-27381
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
django django to 5.2.14 (exc)
django django to 6.0.5 (exc)
django django 5.0
django django 4.1
django django 3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

The vulnerability can allow attackers or users to upload large files that exceed the intended memory limits, leading to excessive memory consumption.

This can cause service degradation, potentially slowing down or crashing the application or server due to resource exhaustion.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, it is recommended to configure file upload size limits at the web server level rather than relying solely on Django's FILE_UPLOAD_MAX_MEMORY_SIZE setting.

Ensure that your Django version is updated to 6.0.5 or later, or 5.2.14 or later, as these versions address the issue.


Can you explain this vulnerability to me?

This vulnerability occurs in Django versions 6.0 before 6.0.5 and 5.2 before 5.2.14. It involves ASGI requests that have a missing or understated Content-Length header, which can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit.

Because of this bypass, large files can be loaded into memory without restriction, potentially causing service degradation.

Django recommends configuring upload size limits at the web server level rather than relying solely on the FILE_UPLOAD_MAX_MEMORY_SIZE setting.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart