Platform
python
Component
django
Fixed in
6.0.4
5.2.13
4.2.30
6.0.4
4.2.30
4.2.30
CVE-2026-4292 is a security vulnerability affecting Django admin changelist forms. This issue allows attackers to create new instances of models through forged POST data, potentially leading to unauthorized data manipulation and system compromise. The vulnerability impacts Django versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30, with earlier unsupported versions potentially also affected. A patch is available for Django 6.0.4.
A security vulnerability has been identified in Django, specifically within admin changelist forms utilizing ModelAdmin.list_editable. Prior to versions 6.0.4, 5.2.13, and 4.2.30, an attacker could create new data instances by forging POST data. This is due to incorrect validation of data during the instance creation process. While versions 5.0.x, 4.1.x, and 3.2.x were not directly evaluated, they may also be vulnerable. The severity of this vulnerability lies in its ability to allow unauthorized creation of records in the database through the admin interface, potentially compromising data integrity and application security.
An attacker could exploit this vulnerability by crafting a malicious POST form containing data designed to create a new model instance through ModelAdmin.list_editable. By manipulating the POST data, the attacker could bypass standard validations and create false records in the database. This exploitation is more likely in environments where the admin interface is not adequately protected or where users have excessive permissions. The lack of proper validation in handling POST data is the root cause of this vulnerability.
Exploit Status
EPSS
0.01% (2% percentile)
CVSS Vector
The solution to this vulnerability is to update Django to a secure version. We strongly recommend upgrading to version 6.0.4 or higher, 5.2.13 or higher, or 4.2.30 or higher. If an immediate update is not possible, carefully review the code utilizing ModelAdmin.list_editable and implement additional validations to ensure received data is valid and does not allow unauthorized instance creation. Additionally, restrict access to the admin interface to authorized users and monitor application logs for suspicious activity. Cantina reported this vulnerability, and Django thanks them for their contribution to improving platform security.
Actualice Django a la versión 4.2.30, 5.2.13 o 6.0.4 o superior para mitigar la vulnerabilidad. Esta actualización corrige un problema que permitía la creación de nuevas instancias a través de datos POST falsificados en los formularios de changelist de Admin, previniendo así la explotación de privilegios.
Vulnerability analysis and critical alerts directly to your inbox.
Affected versions are Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Versions 5.0.x, 4.1.x, and 3.2.x may also be vulnerable, although they were not directly evaluated.
You can update Django using pip install django==[new_version] or through your operating system's package management system.
If you cannot update immediately, review the code that uses ModelAdmin.list_editable and implement additional validations.
Cantina reported this vulnerability to Django.
Review the Django versions you are using and compare them to the affected versions. You can also review the code that uses ModelAdmin.list_editable for potential vulnerabilities.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.