Cyber Resilience

CVE-2026-1207

MediumUpdated

Published: 03 February 2026

Published
03 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0378 88.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1207 is a medium-severity SQL Injection (CWE-89) vulnerability in Djangoproject Django. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1207 is a SQL injection vulnerability affecting Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The issue resides in raster lookups on the RasterField, which is only implemented when using PostGIS. Attackers can exploit this by injecting SQL via the band index parameter. Earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The vulnerability is rated with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) and is associated with CWE-89.

An authenticated remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the band index parameter in raster lookups, the attacker can inject arbitrary SQL, potentially leading to limited confidentiality and integrity impacts, such as unauthorized data access or modification, though availability is unaffected.

Django's security advisories detail mitigation through upgrading to the patched versions: 6.0.2, 5.2.11, or 4.2.28. Relevant information is available in the official security release notes at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce mailing list at https://groups.google.com/g/django-announce, and the security release blog post at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/. The issue was reported by Tarek Nakkouch.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as…

more

5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in Django RasterField (PostGIS) directly enables remote exploitation of a public-facing web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64459Same product: Djangoproject Django
CVE-2026-3902Same product: Djangoproject Django
CVE-2026-1285Same product: Djangoproject Django
CVE-2026-4277Same product: Djangoproject Django
CVE-2026-33034Same product: Djangoproject Django
CVE-2025-14550Same product: Djangoproject Django
CVE-2026-25673Same product: Djangoproject Django
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89

Affected Assets

djangoproject
django
4.2 — 4.2.28 · 5.2 — 5.2.11 · 6.0 — 6.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs such as the band index parameter before they reach the RasterField/PostGIS lookup code, blocking the SQL injection.

prevent

Mandates timely application of vendor patches, directly addressing the root cause by upgrading Django to 6.0.2/5.2.11/4.2.28 or later.

prevent

Limits the set of authenticated users permitted to invoke raster lookup operations, reducing the population that can supply the malicious band index parameter.

References