CVE-2026-16212
Received Received - Intake

Race Condition in django-shop Purchase Stock Handler

Vulnerability report for CVE-2026-16212, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability was identified in awesto django-shop up to 1.2.4. Affected is an unknown function of the file shop/models/inventory.py of the component Purchase Stock Handler. The manipulation leads to race condition. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
awesto django-shop to 1.2.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the django-shop application up to version 1.2.4. It occurs during the checkout process when stock deduction is performed using a non-atomic read-modify-write sequence. This allows two simultaneous purchases of the last available item to both succeed, resulting in oversold inventory. The issue stems from a lack of row locking in the stock deduction process in shop/models/inventory.py and missing transaction isolation in shop/models/order.py.

Detection Guidance

To detect this race condition vulnerability in django-shop, monitor for oversold inventory during concurrent checkouts. Check if multiple orders succeed for the same last available stock unit. Review logs for failed transactions that should have succeeded or vice versa. Examine the shop/models/inventory.py and shop/models/order.py files for non-atomic stock deduction logic.

Impact Analysis

This vulnerability can lead to oversold inventory where more customers purchase the last available item than actually exists. This causes order fulfillment issues, customer dissatisfaction, and potential financial losses. Businesses using affected versions may unknowingly sell more items than they have in stock, leading to order cancellations or delays.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by enabling oversold inventory, which may lead to incorrect financial records or service disruptions. For GDPR, this could affect data integrity requirements under Article 5, while for HIPAA, it might compromise audit trails or transaction accuracy in healthcare-related e-commerce.

Mitigation Strategies

Implement row-level locking using Django's select_for_update() in the stock deduction process. Replace non-atomic read-modify-write sequences with atomic conditional updates. Add regression tests for concurrent checkouts of the last available unit. Temporarily limit concurrent checkouts or increase inventory buffer as a workaround.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart