Platform
python
Component
django
Fixed in
6.0.4
5.2.13
4.2.30
6.0.4
4.2.30
4.2.30
CVE-2026-3902 is a security vulnerability affecting Django versions 6.0.3 and earlier, 5.2.13 and earlier, and 4.2.30 and earlier. This issue arises from an ambiguous mapping of header variants within the ASGIRequest component, enabling remote attackers to potentially spoof headers. While earlier, unsupported Django versions may also be affected, they were not evaluated. A fix is available in Django 6.0.4.
The core of this vulnerability lies in Django's handling of HTTP headers. Specifically, the ASGIRequest component incorrectly maps header names that differ only by the presence of hyphens versus underscores to a single, underscore-based header. An attacker can exploit this by sending requests with both header variants, effectively controlling which header is processed by the application. This header spoofing can lead to a variety of consequences, including manipulating application logic, bypassing authentication checks, and potentially gaining unauthorized access to sensitive data. The impact is amplified if the application relies on these headers for critical functionality, such as authorization or input validation. While the description doesn't explicitly mention a specific attack vector, the ability to spoof headers opens the door to a broad range of attacks.
CVE-2026-3902 was disclosed on 2026-04-07. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is currently assessed as low, but this could change if a public exploit is released. The vulnerability was reported by Tarek Nakkouch.
Exploit Status
EPSS
0.05% (14% percentile)
CVSS Vector
The primary mitigation for CVE-2026-3902 is to upgrade to Django version 6.0.4 or later. This version contains a fix that resolves the ambiguous header mapping issue. If upgrading is not immediately feasible, consider implementing a temporary workaround by carefully validating and sanitizing all incoming HTTP headers within your Django application. This can involve explicitly checking for expected header names and formats, and rejecting any requests that deviate from these expectations. Web application firewalls (WAFs) configured to inspect and filter HTTP headers can also provide an additional layer of defense. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual header patterns in your access logs is recommended.
Update Django to version 6.0.4, 5.2.13, or 4.2.30 or higher to mitigate the ASGI header spoofing vulnerability. This update corrects an issue where attackers could manipulate headers by exploiting an ambiguity in the mapping of header variants with hyphens or underscores.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3902 is a HIGH severity vulnerability in Django affecting versions ≤6.0.3, 5.2 ≤5.2.13, and 4.2 ≤4.2.30. It allows remote attackers to spoof HTTP headers due to an ambiguous header mapping.
If you are using Django versions 6.0.3 or earlier, 5.2.13 or earlier, or 4.2.30 or earlier, you are potentially affected. Older, unsupported versions may also be vulnerable.
Upgrade to Django version 6.0.4 or later to resolve the header spoofing vulnerability. If immediate upgrade is not possible, implement header validation workarounds.
As of the disclosure date, there are no confirmed reports of active exploitation. However, the vulnerability is publicly known and could be exploited in the future.
Refer to the official Django security announcement for details: [https://www.djangoproject.com/security/advisories/CVE-2026-3902/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.