Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
`HttpRequest.body`, allowing remote attackers to load an unbounded request body into
memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Superior for reporting this issue.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Immediate Patch
AI Analysis

Impact

A flaw in Django's ASGI request handling allows a remote attacker to craft a request with a missing or understated Content-Length header. This bypasses the DATA_UPLOAD_MAX_MEMORY_SIZE limit, causing the server to load the entire request body into memory. The result is unbounded memory consumption, which can lead to application slowdown or crash, effectively denying service to legitimate users. The weakness falls under Data Size Manipulation (CWE-130) and Memory Consumption (CWE-770).

Affected Systems

The vulnerability affects Django releases 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Unchecked, older, unsupported series such as 5.0.x, 4.1.x, and 3.2.x may also be at risk. Application developers using any of these Django versions should verify their current release and plan an upgrade to a patched version.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is categorized as high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, attackers can trigger the flaw remotely from the network by sending an ASGI request that intentionally omits or falsely reports the Content-Length header, thereby forcing the server to allocate excessive memory. Patching the Django framework is the only definitive mitigation.

Generated by OpenCVE AI on April 13, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Django version in use and confirm it is at least 6.0.4, 5.2.13, or 4.2.30. Install the latest patched release from the official Django distribution channels. If an immediate upgrade is not possible, temporarily block or rate limit incoming ASGI requests that lack a valid Content-Length header. Monitor logs for unusually large request bodies and ensure the server environment has adequate memory protection and limits. Verify that the deployment platform enforces correct Content-Length handling and consider disabling any custom middleware that could interfere with the upload limits.

Generated by OpenCVE AI on April 13, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-933h-hp56-hf7m Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
Ubuntu USN Ubuntu USN USN-8154-1 Django vulnerabilities
History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.
Title Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
Weaknesses CWE-770
References

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-04-07T20:44:01.819Z

Reserved: 2026-03-17T17:36:23.992Z

Link: CVE-2026-33034

cve-icon Vulnrichment

Updated: 2026-04-07T20:43:58.036Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:39.393

Modified: 2026-04-13T17:38:35.420

Link: CVE-2026-33034

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T14:22:59Z

Links: CVE-2026-33034 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:54Z

Weaknesses