Corrigido em
6.0.4
5.2.13
4.2.30
6.0.4
4.2.30
4.2.30
CVE-2026-4277 describes a permission validation bypass vulnerability discovered in Django versions 6.0, 5.2, and 4.2. An attacker can exploit this flaw by submitting forged POST data to manipulate inline model instances within GenericInlineModelAdmin, potentially leading to unauthorized modifications. Affected versions include those prior to 6.0.4, 5.2.13, and 4.2.30; a fix is available in the updated versions.
This vulnerability allows an attacker to bypass permission checks when adding permissions to inline model instances. Successfully exploiting this flaw could enable an attacker to modify data or perform actions they are not authorized to do within the Django application. The impact is dependent on the permissions configured within the application and the attacker's ability to craft malicious POST requests. While the CVSS score is LOW, the potential for unauthorized data modification warrants prompt remediation, especially in environments with sensitive data or critical business processes. This bypass could be leveraged to escalate privileges or compromise the integrity of the application’s data.
CVE-2026-4277 was disclosed on 2026-04-07. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. The reported vulnerability highlights the importance of thorough input validation and robust permission management in web applications built with Django.
Applications utilizing Django's GenericInlineModelAdmin feature, particularly those with custom permission schemes or relying on implicit trust of user input, are at risk. Shared hosting environments where multiple applications share the same Django installation are also vulnerable if any application is running a vulnerable version.
• python / server:
# Check for vulnerable Django versions
python -c 'import django; print(django.get_version())'• python / application:
# Inspect Django settings for GenericInlineModelAdmin usage
# Review code for potential vulnerabilities in permission handling• generic web:
# Monitor access logs for suspicious POST requests targeting inline model endpoints
# Look for unusual parameters or data patternsdisclosure
Status do Exploit
EPSS
0.06% (percentil 17%)
The primary mitigation for CVE-2026-4277 is to upgrade to a patched version of Django. Specifically, upgrade to Django 6.0.4, 5.2.13, or 4.2.30 or later. If upgrading immediately is not feasible, consider implementing stricter input validation on the server-side to filter out potentially malicious POST data. While not a complete solution, this can reduce the attack surface. Review and tighten permission configurations within GenericInlineModelAdmin to minimize the potential impact of a successful bypass. After upgrading, confirm the fix by attempting to add permissions to inline model instances with a user account lacking the necessary permissions; the request should be rejected.
Actualice Django a la versión 6.0.4, 5.2.13 o 4.2.30 o superior para mitigar la vulnerabilidad. Esta actualización corrige una falla de validación en el manejo de permisos de instancias de modelos en línea, previniendo el abuso de privilegios a través de datos POST falsificados.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-4277 is a LOW severity vulnerability affecting Django versions ≤6.0.3, 5.2 < 5.2.13, and 4.2 < 4.2.30. It allows forged POST data to bypass permission validation in GenericInlineModelAdmin, potentially leading to unauthorized data modification.
You are affected if you are using Django versions 6.0.3 or earlier, 5.2.12 or earlier, or 4.2.29 or earlier, and utilize the GenericInlineModelAdmin feature.
Upgrade to Django 6.0.4, 5.2.13, or 4.2.30 or later. Consider implementing stricter input validation as a temporary mitigation.
There are currently no reports of active exploitation or publicly available proof-of-concept exploits for CVE-2026-4277.
Refer to the official Django security advisory for details: [https://www.djangoproject.com/security/advisories/CVE-2026-4277/]
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.