Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kyle Agronick for reporting this issue.
Published: 2026-05-05
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Django allows code‑running services to bypass the in‑memory file upload limit by omitting or underestablishing the Content‑Length header on ASGI requests. This can cause the framework to load large files into memory, leading to memory exhaustion and service degradation. The weakness is classified as CWE‑130, indicating improper numeric comparison that permits a bypass of a configured limit.

Affected Systems

The vulnerability affects Django releases 6.0 before 6.0.5 and 5.2 before 5.2.14. Earlier, unmaintained Django series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated but could potentially be affected because they share similar upload handling code.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in CISA KEV, implying no known large‑scale exploitation to date. The likely attack vector is remote: an attacker can craft a malicious ASGI request that either omits or provides an understated Content‑Length header, causing Django to process a payload larger than the configured FILE_UPLOAD_MAX_MEMORY_SIZE. If the web server does not enforce its own upload limits, the request can flood the application’s memory, leading to throttling or crashes. The risk is therefore contingent on the server configuration, but once the request is able to reach the application, the memory exhaustion can be effectively triggered.

Generated by OpenCVE AI on May 5, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to version 6.0.5 or newer, or to 5.2.14 or newer, to obtain the patch that restores proper size checks on ASGI uploads.
  • Configure the web server or reverse proxy (e.g., Nginx, Apache, Gunicorn) to enforce a strict file upload limit at the transport layer, ensuring that oversized requests are denied before reaching Django.
  • Validate or reject requests lacking a Content‑Length header or with a header value that is smaller than the actual payload size, to prevent numeric comparison bypasses as defined by CWE‑130.

Generated by OpenCVE AI on May 5, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8232-1 Django vulnerabilities
History

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.
Title Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
Weaknesses CWE-130
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-05-05T14:49:19.715Z

Reserved: 2026-04-07T19:29:07.042Z

Link: CVE-2026-5766

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-05T16:16:17.740

Modified: 2026-05-05T19:34:40.250

Link: CVE-2026-5766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:15:29Z

Weaknesses