CVE-2026-1207
Published: 03 February 2026
Summary
CVE-2026-1207 is a medium-severity SQL Injection (CWE-89) vulnerability in Djangoproject Django. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in Django RasterField (PostGIS) directly enables remote exploitation of a public-facing web application.
NVD Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as…
more
5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Deeper analysisAI
CVE-2026-1207 is a SQL injection vulnerability affecting Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The issue resides in raster lookups on the RasterField, which is only implemented when using PostGIS. Attackers can exploit this by injecting SQL via the band index parameter. Earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The vulnerability is rated with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) and is associated with CWE-89.
An authenticated remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the band index parameter in raster lookups, the attacker can inject arbitrary SQL, potentially leading to limited confidentiality and integrity impacts, such as unauthorized data access or modification, though availability is unaffected.
Django's security advisories detail mitigation through upgrading to the patched versions: 6.0.2, 5.2.11, or 4.2.28. Relevant information is available in the official security release notes at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce mailing list at https://groups.google.com/g/django-announce, and the security release blog post at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/. The issue was reported by Tarek Nakkouch.
Details
- CWE(s)