CVE-2026-33034
Published: 07 April 2026
Summary
CVE-2026-33034 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the specific flaw in Django through patching to supported versions like 6.0.4, 5.2.13, or 4.2.30.
Implements denial-of-service protections at system entry points, such as enforcing strict Content-Length validation and request body size limits to block unbounded memory allocation attempts.
Protects resource availability by allocating dedicated memory limits and controls to prevent exhaustion from oversized or manipulated ASGI request bodies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing Django web framework enables remote exploitation for DoS via memory exhaustion (CWE-770), directly mapping to T1190 (Exploit Public-Facing Application) and T1499.004 (Application or System Exploitation).
NVD Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request…
more
body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.
Deeper analysisAI
CVE-2026-33034 is a vulnerability in the Django web framework affecting versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. It arises during ASGI request handling where a missing or understated Content-Length header allows attackers to bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when accessing HttpRequest.body. This results in loading an unbounded request body into memory. Earlier, unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated but may also be vulnerable. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-770 (Allocation of Resources Without Limits or Throttling).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By crafting ASGI requests with manipulated or absent Content-Length headers, they can force the server to allocate excessive memory for the request body, leading to denial-of-service through memory exhaustion.
Django's security advisories, detailed in their release notes, announcement group, and April 7, 2026 weblog post, recommend upgrading to the patched versions: 6.0.4, 5.2.13, or 4.2.30. The issue was reported by Superior, and no additional mitigations are specified beyond applying these updates.
Details
- CWE(s)