CVE-2026-4277
Published: 07 April 2026
Summary
CVE-2026-4277 is a critical-severity Missing Authorization (CWE-862) vulnerability in Djangoproject Django. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the missing authorization check in Django's GenericInlineModelAdmin, directly mitigating exploitation via forged POST data.
Mandates enforcement of approved authorizations for operations such as adding inline model instances, addressing the core failure to validate add permissions on POST submissions.
Provides server-side validation of information inputs like forged POST data, reducing the risk of unauthorized inline model additions even if authorization checks are incomplete.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a missing authorization vulnerability in Django's public-facing admin interface that enables unauthenticated network attackers to submit crafted POST requests for unauthorized data creation and manipulation in model instances.
NVD Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,…
more
and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Deeper analysisAI
CVE-2026-4277 is a missing authorization vulnerability (CWE-862) in Django's GenericInlineModelAdmin component, where add permissions on inline model instances are not validated upon submission of forged POST data. It affects Django versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Earlier unsupported series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
An unauthenticated attacker with network access can exploit this vulnerability by submitting crafted POST requests to bypass add permissions for inline model instances. Successful exploitation allows arbitrary creation or manipulation of data in affected Django admin interfaces, potentially leading to high-impact confidentiality, integrity, and availability violations depending on the application's models and configuration.
Django's security advisories, available at docs.djangoproject.com/en/dev/releases/security/, groups.google.com/g/django-announce, and www.djangoproject.com/weblog/2026/apr/07/security-releases/, recommend upgrading to Django 6.0.4, 5.2.13, or 4.2.30 (or later) to mitigate the issue. The vulnerability was responsibly disclosed by N05ec@LZU-DSLab.
Details
- CWE(s)