Description
A flaw has been found in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function form_valid of the file oauth/views.py. This manipulation of the argument oauthid causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Improper Authorization via manipulated oauthid leading to unauthorized access
Action: Patch
AI Analysis

Impact

The vulnerability resides in the form_valid function in oauth/views.py of the DjangoBlog application. By altering the oauthid argument, an attacker can circumvent normal authorization checks, allowing unauthorized binding of OAuth credentials and potentially accessing or modifying resources they should not be allowed to. The flaw is exploitable remotely, has already been publicly described and an exploit has been released, and the vendor has not provided a fix or response.

Affected Systems

Any deployment of liangliangyy's DjangoBlog up to and including version 2.1.0.0 is affected. The issue specifically targets the OAuth handling logic within the oauth/views.py file, so installations running this codebase without protection are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability. The EPSS score is not available, so the current exploitation likelihood is unclear; however, the flaw is publicly documented and a working exploit exists. The vulnerability is not listed in the CISA KEV catalog. Attackers can initiate the exploit remotely, which increases the threat surface. The improper authorization mechanism is rooted in CWE‑266 (Untrusted Modification of Authorization Tokens) and CWE‑285 (Authorization Bypass Through User-Controlled Key).

Generated by OpenCVE AI on April 20, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DjangoBlog application to a version newer than 2.1.0.0 where the form_valid authorization check has been corrected.
  • If an upgrade is not immediately possible, modify the oauth/views.py form_valid function to reject any oauthid values that do not belong to the authenticated user, enforcing server‑side validation rather than accepting client‑supplied identifiers.
  • Reconfigure any OAuth endpoints to reject client‑supplied oauthid parameters altogether, and ensure that all OAuth token handling is performed using secure server‑side logic and relies on signed tokens.

Generated by OpenCVE AI on April 20, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function form_valid of the file oauth/views.py. This manipulation of the argument oauthid causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title liangliangyy DjangoBlog views.py form_valid improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T05:30:16.620Z

Reserved: 2026-04-19T16:06:08.447Z

Link: CVE-2026-6609

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T06:16:22.050

Modified: 2026-04-20T06:16:22.050

Link: CVE-2026-6609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T07:30:45Z

Weaknesses