Plateforme
python
Composant
django
Corrigé dans
6.0.4
5.2.13
4.2.30
6.0.4
4.2.30
4.2.30
La vulnérabilité CVE-2026-3902 affecte Django, une bibliothèque Python pour le développement web. Elle permet à un attaquant distant de falsifier des en-têtes HTTP en exploitant une ambiguïté dans la manière dont Django gère les variantes d'en-têtes. Cette faille peut potentiellement conduire à une manipulation des requêtes et à des attaques. Les versions concernées sont Django 6.0 avant 6.0.4, 5.2 avant 5.2.13 et 4.2 avant 4.2.30; d'autres versions non supportées pourraient également être vulnérables. Une correction est disponible dans Django 6.0.4.
The core of this vulnerability lies in Django's handling of HTTP headers. Specifically, the ASGIRequest component incorrectly maps header names that differ only by the presence of hyphens versus underscores to a single, underscore-based header. An attacker can exploit this by sending requests with both header variants, effectively controlling which header is processed by the application. This header spoofing can lead to a variety of consequences, including manipulating application logic, bypassing authentication checks, and potentially gaining unauthorized access to sensitive data. The impact is amplified if the application relies on these headers for critical functionality, such as authorization or input validation. While the description doesn't explicitly mention a specific attack vector, the ability to spoof headers opens the door to a broad range of attacks.
CVE-2026-3902 was disclosed on 2026-04-07. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is currently assessed as low, but this could change if a public exploit is released. The vulnerability was reported by Tarek Nakkouch.
Applications heavily reliant on HTTP headers for authentication, authorization, or input validation are particularly at risk. Django projects using older, unsupported versions (5.0.x, 4.1.x, 3.2.x) are also vulnerable, despite not being formally evaluated. Shared hosting environments where header manipulation could impact multiple applications should prioritize patching.
• python / server:
# Check Django version
python -c "import django; print(django.get_version())"• generic web:
# Inspect access logs for unusual header patterns (e.g., multiple headers with slight variations)
grep -i 'header_name_with_hyphens|header_name_with_underscores' /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.05% (percentile 14%)
Vecteur CVSS
The primary mitigation for CVE-2026-3902 is to upgrade to Django version 6.0.4 or later. This version contains a fix that resolves the ambiguous header mapping issue. If upgrading is not immediately feasible, consider implementing a temporary workaround by carefully validating and sanitizing all incoming HTTP headers within your Django application. This can involve explicitly checking for expected header names and formats, and rejecting any requests that deviate from these expectations. Web application firewalls (WAFs) configured to inspect and filter HTTP headers can also provide an additional layer of defense. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual header patterns in your access logs is recommended.
Actualice Django a la versión 6.0.4, 5.2.13 o 4.2.30 o superior para mitigar la vulnerabilidad de falsificación de encabezados ASGI. Esta actualización corrige un problema donde los atacantes podían manipular encabezados aprovechando una ambigüedad en el mapeo de variantes de encabezados con guiones o guiones bajos.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-3902 is a HIGH severity vulnerability in Django affecting versions ≤6.0.3, 5.2 ≤5.2.13, and 4.2 ≤4.2.30. It allows remote attackers to spoof HTTP headers due to an ambiguous header mapping.
If you are using Django versions 6.0.3 or earlier, 5.2.13 or earlier, or 4.2.30 or earlier, you are potentially affected. Older, unsupported versions may also be vulnerable.
Upgrade to Django version 6.0.4 or later to resolve the header spoofing vulnerability. If immediate upgrade is not possible, implement header validation workarounds.
As of the disclosure date, there are no confirmed reports of active exploitation. However, the vulnerability is publicly known and could be exploited in the future.
Refer to the official Django security announcement for details: [https://www.djangoproject.com/security/advisories/CVE-2026-3902/]
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.