UNKNOWN PyPI
Django vulnerable to privilege abuse in GenericInlineModelAdmin
GHSA-pwjp-ccjc-ghwg · BIT-django-2026-4277 · CVE-2026-4277 · PYSEC-2026-52
Published · Modified
Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged POST data in GenericInlineModelAdmin.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-4277
- WEB https://docs.djangoproject.com/en/dev/releases/security
- PACKAGE https://github.com/django/django
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2026-52.yaml
- WEB https://groups.google.com/g/django-announce
- WEB https://www.djangoproject.com/weblog/2026/apr/07/security-releases
Ready to move
Start Securing
Free, no credit card | First findings in minutes