Kostenlos scannen
HIGHCVE-2026-3902CVSS 7.5

Django anfällig für ASGI-Header-Spoofing durch Unterstrich-/Bindestrich-Verwechslung

Plattform

python

Komponente

django

Behoben in

6.0.4

5.2.13

4.2.30

6.0.4

4.2.30

4.2.30

AI Confidence: highNVDEPSS 0.0%Geprüft: Mai 2026
Auf NVD ansehen
Speichern
Wird in Ihre Sprache übersetzt…

CVE-2026-3902 is a security vulnerability affecting Django versions 6.0.3 and earlier, 5.2.13 and earlier, and 4.2.30 and earlier. This issue arises from an ambiguous mapping of header variants within the ASGIRequest component, enabling remote attackers to potentially spoof headers. While earlier, unsupported Django versions may also be affected, they were not evaluated. A fix is available in Django 6.0.4.

Python

Erkenne diese CVE in deinem Projekt

Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.

requirements.txt hochladenUnterstützte Formate: requirements.txt · Pipfile.lock

Auswirkungen und Angriffsszenarienwird übersetzt…

The core of this vulnerability lies in Django's handling of HTTP headers. Specifically, the ASGIRequest component incorrectly maps header names that differ only by the presence of hyphens versus underscores to a single, underscore-based header. An attacker can exploit this by sending requests with both header variants, effectively controlling which header is processed by the application. This header spoofing can lead to a variety of consequences, including manipulating application logic, bypassing authentication checks, and potentially gaining unauthorized access to sensitive data. The impact is amplified if the application relies on these headers for critical functionality, such as authorization or input validation. While the description doesn't explicitly mention a specific attack vector, the ability to spoof headers opens the door to a broad range of attacks.

Ausnutzungskontextwird übersetzt…

CVE-2026-3902 was disclosed on 2026-04-07. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is currently assessed as low, but this could change if a public exploit is released. The vulnerability was reported by Tarek Nakkouch.

Wer Ist Gefährdetwird übersetzt…

Applications heavily reliant on HTTP headers for authentication, authorization, or input validation are particularly at risk. Django projects using older, unsupported versions (5.0.x, 4.1.x, 3.2.x) are also vulnerable, despite not being formally evaluated. Shared hosting environments where header manipulation could impact multiple applications should prioritize patching.

Erkennungsschrittewird übersetzt…

• python / server:

# Check Django version
python -c "import django; print(django.get_version())"

• generic web:

# Inspect access logs for unusual header patterns (e.g., multiple headers with slight variations)
grep -i 'header_name_with_hyphens|header_name_with_underscores' /var/log/apache2/access.log

Angriffszeitlinie

  1. Disclosure

    disclosure

Bedrohungsanalyse

Exploit-Status

Proof of ConceptUnbekannt
CISA KEVNO
Internet-ExponierungHoch
Berichte1 Bedrohungsbericht

EPSS

0.05% (14% Perzentil)

CVSS-Vektor

BEDROHUNGSANALYSE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N7.5HIGHAttack VectorNetworkWie der Angreifer das Ziel erreichtAttack ComplexityLowBedingungen zur erfolgreichen AusnutzungPrivileges RequiredNoneErforderliche AuthentifizierungsstufeUser InteractionNoneOb ein Opfer eine Aktion ausführen mussScopeUnchangedAuswirkungen über die Komponente hinausConfidentialityNoneRisiko der Offenlegung sensibler DatenIntegrityHighRisiko nicht autorisierter DatenänderungAvailabilityNoneRisiko der Dienstunterbrechungnextguardhq.com · CVSS v3.1 Basis-Score
Was bedeuten diese Metriken?
Attack Vector
Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
Attack Complexity
Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
Privileges Required
Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
User Interaction
Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
Scope
Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
Confidentiality
Keine — kein Vertraulichkeitseinfluss.
Integrity
Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
Availability
Keine — kein Verfügbarkeitseinfluss.

Betroffene Software

Komponentedjango
Herstellerosv
Betroffener BereichBehoben in
6.0 – 6.0.46.0.4
5.2 – 5.2.135.2.13
4.2 – 4.2.304.2.30
6.06.0.4
4.24.2.30
5.24.2.30

Schwachstellen-Klassifikation (CWE)

CWE-290

Zeitleiste

  1. Reserviert
  2. Veröffentlicht
  3. Geändert
  4. EPSS aktualisiert
1 Tage nach Offenlegung gepatcht

Mitigation und Workaroundswird übersetzt…

The primary mitigation for CVE-2026-3902 is to upgrade to Django version 6.0.4 or later. This version contains a fix that resolves the ambiguous header mapping issue. If upgrading is not immediately feasible, consider implementing a temporary workaround by carefully validating and sanitizing all incoming HTTP headers within your Django application. This can involve explicitly checking for expected header names and formats, and rejecting any requests that deviate from these expectations. Web application firewalls (WAFs) configured to inspect and filter HTTP headers can also provide an additional layer of defense. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual header patterns in your access logs is recommended.

So behebenwird übersetzt…

Actualice Django a la versión 6.0.4, 5.2.13 o 4.2.30 o superior para mitigar la vulnerabilidad de falsificación de encabezados ASGI. Esta actualización corrige un problema donde los atacantes podían manipular encabezados aprovechando una ambigüedad en el mapeo de variantes de encabezados con guiones o guiones bajos.

CVE-Sicherheitsnewsletter

Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.

Häufig gestellte Fragenwird übersetzt…

What is CVE-2026-3902 — Header Spoofing in Django?

CVE-2026-3902 is a HIGH severity vulnerability in Django affecting versions ≤6.0.3, 5.2 ≤5.2.13, and 4.2 ≤4.2.30. It allows remote attackers to spoof HTTP headers due to an ambiguous header mapping.

Am I affected by CVE-2026-3902 in Django?

If you are using Django versions 6.0.3 or earlier, 5.2.13 or earlier, or 4.2.30 or earlier, you are potentially affected. Older, unsupported versions may also be vulnerable.

How do I fix CVE-2026-3902 in Django?

Upgrade to Django version 6.0.4 or later to resolve the header spoofing vulnerability. If immediate upgrade is not possible, implement header validation workarounds.

Is CVE-2026-3902 being actively exploited?

As of the disclosure date, there are no confirmed reports of active exploitation. However, the vulnerability is publicly known and could be exploited in the future.

Where can I find the official Django advisory for CVE-2026-3902?

Refer to the official Django security announcement for details: [https://www.djangoproject.com/security/advisories/CVE-2026-3902/]

Ist dein Projekt betroffen?

Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.

Kostenlos scannenCVEs suchen