Improper Header Processing Vulnerability in Daphne by Django
CVE-2026-44546

3.7LOW

Key Information:

Vendor: Djangoproject
Status: Daphne
Vendor: CVE Published:; 3 June 2026

🔔 Create Djangoproject Vulnerability Alert

What is CVE-2026-44546?

The vulnerability in Daphne arises from its handling of raw HTTP requests. When dealing with Twisted's parsed headers, Daphne fails to recognize certain byte sequences as valid header line separators. This oversight allows an attacker to exploit the parser's behavior by injecting additional headers into the ASGI scope that is processed by the application. As a result, malicious requests that include specific byte sequences in the headers can bypass standard security measures. In response, version 4.2.2 of Daphne introduces validation that rejects any requests containing these problematic byte values, responding with a 400 status code.

Affected Version(s)

daphne 4.2.0 <= 4.2.1

daphne 4.2.2

References

https://github.com/django/daphne/blob/main/CHANGELOG.txt

release-notes

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
May 6, 2026

Credit

Rene Henningsen

Carlton Gibson

CVE-2026-44546 Data

JSON