Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Header Spoofing
Action: Apply Patch
AI Analysis

Impact

An error in Django's ASGIRequest class creates an ambiguity between headers containing hyphens and those containing underscores, returning the same underscore‑formatted header. This allows a remote attacker to cause header spoofing, potentially confusing application logic that relies on the header values. The vulnerability can be exploited by sending HTTP requests that include both hyphen‑ and underscore‑style header names, leading to unintended behavior within the Django application.

Affected Systems

Affected Django releases are 6.0 prior to 6.0.4, 5.2 prior to 5.2.13, and 4.2 prior to 4.2.30. Earlier unsupported series such as 5.0.x, 4.1.x and 3.2.x may also be impacted, but they are not actively maintained by the Django team.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, an EPSS score of less than 1 %, and it is not listed in the CISA KEV catalog. It is inferred that a remote attacker would send crafted HTTP requests to the ASGI endpoint to exploit the header name conflation. Although the description does not explicitly mention authentication, the flaw appears to be exploitable without prior authentication. The high severity reflects potential logic or authorization bypass, but the low exploitation probability suggests a moderate overall risk for present deployments.

Generated by OpenCVE AI on April 13, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to version 6.0.4 or later, 5.2.13 or later, or 4.2.30 or later.
  • If you are running an unsupported Django series, consider upgrading to a supported release.
  • Verify that your ASGI server is correctly configured to reject duplicate or conflicting header names.
  • Monitor and log incoming HTTP requests for unexpected or duplicate header names.
  • Review application logic that depends on request headers to ensure it handles header spoofing securely.

Generated by OpenCVE AI on April 13, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mvfq-ggxm-9mc5 Django vulnerable to ASGI header spoofing via underscore/hyphen conflation
Ubuntu USN Ubuntu USN USN-8154-1 Django vulnerabilities
History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-444
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Title ASGI header spoofing via underscore/hyphen conflation
Weaknesses CWE-290
References

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-04-07T16:14:07.198Z

Reserved: 2026-03-10T18:33:26.472Z

Link: CVE-2026-3902

cve-icon Vulnrichment

Updated: 2026-04-07T16:13:58.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:46.353

Modified: 2026-04-13T17:38:05.533

Link: CVE-2026-3902

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T14:22:07Z

Links: CVE-2026-3902 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:59Z

Weaknesses