Platform
python
Component
django
Opgelost in
6.0.4
5.2.13
4.2.30
6.0.4
4.2.30
4.2.30
CVE-2026-3902 is een kwetsbaarheid in Django die het mogelijk maakt voor een externe aanvaller om headers te vervalsen. Dit komt door een onduidelijke mapping van header varianten in de ASGIRequest component. De kwetsbaarheid treft Django versies 6.0 (voor 6.0.4), 5.2 (voor 5.2.13) en 4.2 (voor 4.2.30), en mogelijk ook oudere, niet-ondersteunde versies. Een patch is beschikbaar in Django 6.0.4.
The core of this vulnerability lies in Django's handling of HTTP headers. Specifically, the ASGIRequest component incorrectly maps header names that differ only by the presence of hyphens versus underscores to a single, underscore-based header. An attacker can exploit this by sending requests with both header variants, effectively controlling which header is processed by the application. This header spoofing can lead to a variety of consequences, including manipulating application logic, bypassing authentication checks, and potentially gaining unauthorized access to sensitive data. The impact is amplified if the application relies on these headers for critical functionality, such as authorization or input validation. While the description doesn't explicitly mention a specific attack vector, the ability to spoof headers opens the door to a broad range of attacks.
CVE-2026-3902 was disclosed on 2026-04-07. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is currently assessed as low, but this could change if a public exploit is released. The vulnerability was reported by Tarek Nakkouch.
Applications heavily reliant on HTTP headers for authentication, authorization, or input validation are particularly at risk. Django projects using older, unsupported versions (5.0.x, 4.1.x, 3.2.x) are also vulnerable, despite not being formally evaluated. Shared hosting environments where header manipulation could impact multiple applications should prioritize patching.
• python / server:
# Check Django version
python -c "import django; print(django.get_version())"• generic web:
# Inspect access logs for unusual header patterns (e.g., multiple headers with slight variations)
grep -i 'header_name_with_hyphens|header_name_with_underscores' /var/log/apache2/access.logdisclosure
Exploit Status
EPSS
0.05% (14% percentiel)
CVSS-vector
The primary mitigation for CVE-2026-3902 is to upgrade to Django version 6.0.4 or later. This version contains a fix that resolves the ambiguous header mapping issue. If upgrading is not immediately feasible, consider implementing a temporary workaround by carefully validating and sanitizing all incoming HTTP headers within your Django application. This can involve explicitly checking for expected header names and formats, and rejecting any requests that deviate from these expectations. Web application firewalls (WAFs) configured to inspect and filter HTTP headers can also provide an additional layer of defense. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual header patterns in your access logs is recommended.
Actualice Django a la versión 6.0.4, 5.2.13 o 4.2.30 o superior para mitigar la vulnerabilidad de falsificación de encabezados ASGI. Esta actualización corrige un problema donde los atacantes podían manipular encabezados aprovechando una ambigüedad en el mapeo de variantes de encabezados con guiones o guiones bajos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-3902 is a HIGH severity vulnerability in Django affecting versions ≤6.0.3, 5.2 ≤5.2.13, and 4.2 ≤4.2.30. It allows remote attackers to spoof HTTP headers due to an ambiguous header mapping.
If you are using Django versions 6.0.3 or earlier, 5.2.13 or earlier, or 4.2.30 or earlier, you are potentially affected. Older, unsupported versions may also be vulnerable.
Upgrade to Django version 6.0.4 or later to resolve the header spoofing vulnerability. If immediate upgrade is not possible, implement header validation workarounds.
As of the disclosure date, there are no confirmed reports of active exploitation. However, the vulnerability is publicly known and could be exploited in the future.
Refer to the official Django security announcement for details: [https://www.djangoproject.com/security/advisories/CVE-2026-3902/]
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.