Django Vulnerability in GenericInlineModelAdmin Affects Multiple Versions
CVE-2026-4277

9.8CRITICAL

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
7 April 2026

What is CVE-2026-4277?

A vulnerability was identified in Django's GenericInlineModelAdmin, where permissions on inline model instances were not properly validated during the submission of forged POST data. This can potentially lead to unauthorized access and manipulation of data in various Django applications. The issue affects versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Additionally, earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, may also be vulnerable. It is essential for users to upgrade to the patched versions to ensure the security of their applications.

Affected Version(s)

Django 6.0 < 6.0.4

Django 5.2 < 5.2.13

Django 4.2 < 4.2.30

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/apr/07/security...
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

N05ec@LZU-DSLab
Jacob Walls
Jacob Walls
.