Django Framework Vulnerability in File Upload Handling
CVE-2026-5766

6.3MEDIUM

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
5 May 2026

What is CVE-2026-5766?

A vulnerability in the Django framework allows ASGI requests with an incorrectly configured Content-Length header to bypass the FILE_UPLOAD_MAX_MEMORY_SIZE setting. This can lead to excessive memory usage when large files are uploaded, potentially degrading the service's performance. It is recommended that users configure upload limits at the web server level in addition to using the framework's FILE_UPLOAD_MAX_MEMORY_SIZE setting to mitigate this issue. Additionally, earlier unsupported versions such as 5.0.x, 4.1.x, and 3.2.x may also be susceptible, although they have not been specifically evaluated.

Affected Version(s)

Django 6.0 < 6.0.5

Django 5.2 < 5.2.14

Django 6.0.5

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/may/05/security...
vendor-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kyle Agronick
Jacob Walls
Sarah Boyce
.