Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Add permissions on inline model instances were not validated on submission of
forged `POST` data in `GenericInlineModelAdmin`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Published: 2026-04-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Unvalidated Permission Changes
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs when a malicious actor submits forged POST data to Django’s GenericInlineModelAdmin, allowing the manipulation of permissions on inline model instances without proper validation. This lack of authorization checks means an attacker who can reach the admin interface could grant themselves additional privileges or modify data they are not permitted to access, leading to potential compromise of data integrity and confidentiality.

Affected Systems

Affected versions include Django 4.2 prior to 4.2.30, Django 5.2 prior to 5.2.13, and Django 6.0 prior to 6.0.4. Earlier unsupported series such as 5.0.x, 4.1.x, and 3.2.x may also be vulnerable.

Risk and Exploitability

The issue carries a CVSS score of 9.8, indicating a critical severity, yet the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, reflecting a low likelihood of widespread exploitation at present. Nevertheless, attackers who can reach the Django admin pages and submit forged POST requests can exploit this flaw; the adversary would need to send crafted data that bypasses the normal permission checks, which could lead to unauthorized privilege escalation and data tampering.

Generated by OpenCVE AI on April 13, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to version 6.0.4 or later for the 6.0 series.
  • Upgrade Django to version 5.2.13 or later for the 5.2 series.
  • Upgrade Django to version 4.2.30 or later for the 4.2 series.
  • If using unsupported Django series (5.0.x, 4.1.x, or 3.2.x), upgrade to a supported series or apply the latest patch manually.
  • As a temporary measure, restrict access to GenericInlineModelAdmin views and ensure that any custom permission handling enforces validation of POST data.

Generated by OpenCVE AI on April 13, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pwjp-ccjc-ghwg Django vulnerable to privilege abuse in GenericInlineModelAdmin
Ubuntu USN Ubuntu USN USN-8154-1 Django vulnerabilities
Ubuntu USN Ubuntu USN USN-8154-2 Django vulnerabilities
History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Title Privilege abuse in GenericInlineModelAdmin
Weaknesses CWE-862
References

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-04-09T20:21:50.751Z

Reserved: 2026-03-16T15:26:08.125Z

Link: CVE-2026-4277

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:46.500

Modified: 2026-04-13T17:37:29.620

Link: CVE-2026-4277

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T14:22:25Z

Links: CVE-2026-4277 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:58Z

Weaknesses