CVE-2026-3902
Published: 07 April 2026
Summary
CVE-2026-3902 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SA-22 (Unsupported System Components).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the specific header spoofing flaw in Django's ASGIRequest, directly preventing exploitation as recommended in the security advisory.
Prohibits use of unsupported and vulnerable Django versions affected by CVE-2026-3902, eliminating exposure to the header normalization ambiguity.
Vulnerability scanning identifies systems running affected Django versions, enabling remediation of the header spoofing vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote header spoofing flaw in Django's ASGIRequest that directly enables exploitation of public-facing web applications via crafted requests, leading to authentication bypass or malicious header injection.
NVD Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single…
more
version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Deeper analysisAI
CVE-2026-3902 is a header spoofing vulnerability in Django's ASGIRequest component, affecting versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. It arises from an ambiguous mapping where headers with hyphens or underscores are normalized to underscores, allowing a remote attacker to spoof headers. Earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-290.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction by sending crafted requests that manipulate header variants. Successful exploitation enables header spoofing, leading to high integrity impacts, such as potentially bypassing authentication or injecting malicious data that applications interpret as legitimate headers.
Django's security advisories detail mitigation through upgrading to the fixed releases: 6.0.4, 5.2.13, or 4.2.30. Relevant information is available in the official security release notes at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce Google Group at https://groups.google.com/g/django-announce, and the security release blog post at https://www.djangoproject.com/weblog/2026/apr/07/security-releases/. The issue was responsibly reported by Tarek Nakkouch.
Details
- CWE(s)