CVE-2026-1207
Published: 03 February 2026
Summary
CVE-2026-1207 is a medium-severity SQL Injection (CWE-89) vulnerability in Djangoproject Django. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1207 is a SQL injection vulnerability affecting Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The issue resides in raster lookups on the RasterField, which is only implemented when using PostGIS. Attackers can exploit this by injecting SQL via the band index parameter. Earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The vulnerability is rated with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) and is associated with CWE-89.
An authenticated remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the band index parameter in raster lookups, the attacker can inject arbitrary SQL, potentially leading to limited confidentiality and integrity impacts, such as unauthorized data access or modification, though availability is unaffected.
Django's security advisories detail mitigation through upgrading to the patched versions: 6.0.2, 5.2.11, or 4.2.28. Relevant information is available in the official security release notes at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce mailing list at https://groups.google.com/g/django-announce, and the security release blog post at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/. The issue was reported by Tarek Nakkouch.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5253
Vulnerability details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as…
more
5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in Django RasterField (PostGIS) directly enables remote exploitation of a public-facing web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs such as the band index parameter before they reach the RasterField/PostGIS lookup code, blocking the SQL injection.
Mandates timely application of vendor patches, directly addressing the root cause by upgrading Django to 6.0.2/5.2.11/4.2.28 or later.
Limits the set of authenticated users permitted to invoke raster lookup operations, reducing the population that can supply the malicious band index parameter.