CVE-2026-16207
Received Received - Intake

Use of GET Request Method with Sensitive Query Strings in django-tastypie

Vulnerability report for CVE-2026-16207, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability was detected in django-tastypie up to 0.15.1. Impacted is the function ApiKeyAuthentication of the file tastypie/authentication.py. The manipulation results in use of get request method with sensitive query strings. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
django_tastypie django_tastypie to 0.15.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects django-tastypie up to version 0.15.1. It involves the ApiKeyAuthentication function in tastypie/authentication.py, where a manipulation allows attackers to use GET requests with sensitive query strings. The attack is remote and has high complexity with difficult exploitability. The project was notified but has not responded.

Detection Guidance

Detection involves checking for use of GET requests with sensitive query strings in django-tastypie versions up to 0.15.1. Inspect authentication logs for ApiKeyAuthentication function calls in tastypie/authentication.py. Look for unusual GET requests containing API keys or sensitive data in query parameters.

Impact Analysis

An attacker could exploit this to send sensitive data via GET requests, potentially exposing credentials or other sensitive information in query strings. This could lead to unauthorized access or data leaks if the API uses ApiKeyAuthentication.

Compliance Impact

This vulnerability could lead to unauthorized data exposure, violating GDPR's data protection principles or HIPAA's security requirements for safeguarding sensitive health information. Non-compliance may result in legal penalties or reputational damage.

Mitigation Strategies

Immediately upgrade django-tastypie to a version beyond 0.15.1 if available. If no patch exists, disable ApiKeyAuthentication or restrict GET requests with sensitive query strings. Monitor network traffic for suspicious GET requests involving API keys.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart