Spoofing Vulnerability in Django Web Framework Versions
CVE-2026-3902

7.5HIGH

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
7 April 2026

What is CVE-2026-3902?

A vulnerability in the Django Web Framework allows remote attackers to spoof headers through an ambiguous mapping that mixes hyphenated and underscored variants. This issue is present in versions 6.0 prior to 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Additionally, older unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x may also be impacted but were not formally evaluated. Developers are encouraged to update to the secure versions to mitigate this risk.

Affected Version(s)

Django 6.0 < 6.0.4

Django 5.2 < 5.2.13

Django 4.2 < 4.2.30

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/apr/07/security...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tarek Nakkouch
Jacob Walls
Jacob Walls
.