Scan free
HIGHCVE-2026-33034CVSS 7.5

CVE-2026-33034: Memory Exhaustion in Django

Platform

python

Component

django

Fixed in

6.0.4

5.2.13

4.2.30

6.0.4

4.2.30

4.2.30

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-33034 describes a memory exhaustion vulnerability discovered in Django versions 6.0, 5.2, and 4.2. Attackers can exploit this flaw by crafting ASGI requests with missing or understated Content-Length headers, bypassing the DATAUPLOADMAXMEMORYSIZE limit and potentially causing a denial-of-service. The vulnerability impacts versions prior to 6.0.4, 5.2.13, and 4.2.30, and a fix has been released.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

This vulnerability allows a remote attacker to bypass Django's memory limits for uploaded data. By sending a request with a manipulated Content-Length header, an attacker can force Django to load an arbitrarily large request body into memory. This can lead to a denial-of-service (DoS) condition, potentially crashing the Django application or exhausting server resources. The impact is particularly severe in environments where Django handles user-uploaded files or processes large data payloads. While the description doesn't explicitly mention data exfiltration, the memory exhaustion could be a precursor to other attacks, such as attempting to overload the system and gain access to sensitive information.

Exploitation Context

This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the potential for DoS attacks warrant immediate attention. The vulnerability is not listed on CISA KEV as of this writing. Superior reported the issue, indicating a proactive security research effort.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.03% (9% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentdjango
Vendorosv
Affected rangeFixed in
6.0 – 6.0.46.0.4
5.2 – 5.2.135.2.13
4.2 – 4.2.304.2.30
6.06.0.4
4.24.2.30
5.24.2.30

Weakness Classification (CWE)

CWE-770

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched 1 days after disclosure

Mitigation and Workarounds

The primary mitigation is to upgrade Django to a patched version: 6.0.4, 5.2.13, or 4.2.30. If upgrading immediately is not feasible, consider implementing a temporary workaround by strictly validating the Content-Length header in your ASGI middleware. This could involve rejecting requests with missing or suspiciously small headers. Additionally, review your DATAUPLOADMAXMEMORYSIZE setting to ensure it is appropriately configured to limit the amount of memory consumed by uploaded data. After upgrade, confirm the fix by sending a test request with a deliberately oversized Content-Length header and verifying that Django correctly rejects it.

How to fix

Update Django to version 6.0.4, 5.2.13, or 4.2.30 or later to mitigate the vulnerability. This update fixes an issue that allows attackers to load unbounded request bodies into memory, which could lead to a denial of service. See the release notes for more details.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-33034 — Memory Exhaustion in Django?

CVE-2026-33034 is a HIGH severity vulnerability affecting Django versions ≤6.0.3, 5.2≤5.2.13, and 4.2≤4.2.30. It allows attackers to bypass memory limits by manipulating Content-Length headers, potentially leading to a denial-of-service.

Am I affected by CVE-2026-33034 in Django?

If you are using Django versions 6.0, 5.2, or 4.2 prior to 6.0.4, 5.2.13, or 4.2.30, respectively, you are potentially affected by this vulnerability.

How do I fix CVE-2026-33034 in Django?

Upgrade Django to version 6.0.4, 5.2.13, or 4.2.30. As a temporary workaround, implement strict Content-Length header validation in your ASGI middleware.

Is CVE-2026-33034 being actively exploited?

There is currently no public evidence of active exploitation, but the vulnerability's ease of exploitation warrants immediate action.

Where can I find the official Django advisory for CVE-2026-33034?

Refer to the official Django security advisory for detailed information and updates: [https://www.djangoproject.com/security/](https://www.djangoproject.com/security/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs