Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Published: 2026-04-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service – performance degradation
Action: Apply Patch
AI Analysis

Impact

The Django web framework’s MultiPartParser contains a flaw where base64‑encoded file uploads that include excessive whitespace in the Content‑Transfer‑Encoding header force the parser to perform unnecessary decoding, eating CPU cycles and causing the server to slow down or become unresponsive. This reflects a resource‑exhaustion weakness aligned with CWE‑1286 and CWE‑407.

Affected Systems

Affected installations include Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Unsupported series such as 5.0.x, 4.1.x, and 3.2.x were not checked but could also be at risk; site owners should verify their current version and plan an upgrade if necessary.

Risk and Exploitability

The CVSS score of 6.5 signals moderate severity, while an EPSS below 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog and no public exploits are known. A remote attacker can trigger the issue via an unauthenticated HTTP POST that contains a multipart upload with base64 encoding and large amounts of whitespace in the header.

Generated by OpenCVE AI on April 13, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed Django release (6.0.4 or newer, 5.2.13 or newer, or 4.2.30 or newer).
  • If an immediate upgrade is not possible, block or strip base64‑encoded multipart uploads with excessive whitespace on all file‑upload endpoints.
  • Validate the deployment by testing large base64 uploads and monitoring CPU usage to ensure the denial‑of‑service condition is resolved.

Generated by OpenCVE AI on April 13, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5mf9-h53q-7mhq Django has potential DoS via MultiPartParser through crafted multipart uploads
Ubuntu USN Ubuntu USN USN-8154-1 Django vulnerabilities
Ubuntu USN Ubuntu USN USN-8154-2 Django vulnerabilities
History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Title Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
Weaknesses CWE-407
References

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-04-07T15:21:27.926Z

Reserved: 2026-03-17T17:36:23.992Z

Link: CVE-2026-33033

cve-icon Vulnrichment

Updated: 2026-04-07T15:21:23.777Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:39.220

Modified: 2026-04-13T17:39:05.543

Link: CVE-2026-33033

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T14:22:48Z

Links: CVE-2026-33033 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:55Z

Weaknesses