Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new
instances to be created via forged `POST` data.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue.
Published: 2026-04-07
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An admin changelist form that uses ModelAdmin.list_editable incorrectly admits forged POST data, permitting unauthenticated or improperly authorized users to create new model instances. The issue allows the creation of arbitrary objects in the database without the intended permission checks, enabling attackers to insert data that may grant elevated privileges or disrupt application logic.

Affected Systems

Django projects running versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30 are impacted. Earlier unsupported series, such as 5.0.x, 4.1.x, and 3.2.x, might also be affected.

Risk and Exploitability

The CVSS base score is 2.7 and the EPSS score is below 1%, indicating a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack requires access to the Django admin changelist pages and the ability to submit forged POST requests, making it most likely to be leveraged by authenticated staff users or individuals able to craft malicious administrative requests.

Generated by OpenCVE AI on April 13, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Django 6.0.4 or later, 5.2.13 or later, or 4.2.30 or later.
  • If an upgrade is not immediately possible, restrict or disable the use of ModelAdmin.list_editable in the admin interface.
  • Ensure that only users with the appropriate permissions can access admin changelist forms.
  • Monitor incoming admin POST requests for unexpected object creation attempts.

Generated by OpenCVE AI on April 13, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mmwr-2jhp-mc7j Django vulnerable to privilege abuse in ModelAdmin.list_editable
Ubuntu USN Ubuntu USN USN-8154-1 Django vulnerabilities
Ubuntu USN Ubuntu USN USN-8154-2 Django vulnerabilities
History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-472
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
Title Privilege abuse in ModelAdmin.list_editable
Weaknesses CWE-862
References

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-04-07T15:12:56.065Z

Reserved: 2026-03-16T16:58:02.592Z

Link: CVE-2026-4292

cve-icon Vulnrichment

Updated: 2026-04-07T15:12:42.904Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:46.650

Modified: 2026-04-13T17:34:48.397

Link: CVE-2026-4292

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T14:22:38Z

Links: CVE-2026-4292 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:56Z

Weaknesses