CVE-2026-4277

EUVD-2026-19687
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
Add permissions on inline model instances were not validated on submission of
forged `POST` data in `GenericInlineModelAdmin`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank N05ec@LZU-DSLab for reporting this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
djangoprojectdjango
4.2 ≤
𝑥
< 4.2.30
djangoprojectdjango
5.2 ≤
𝑥
< 5.2.13
djangoprojectdjango
6.0 ≤
𝑥
< 6.0.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
3:4.2.30-1
fixed
sid
3:5.2.14-2
fixed
trixie
no-dsa
trixie (security)
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
bionic
Fixed 1:1.11.11-1ubuntu1.21+esm15
released
focal
Fixed 2:2.2.12-1ubuntu0.29+esm8
released
jammy
Fixed 2:3.2.12-2ubuntu1.26
released
noble
Fixed 3:4.2.11-1ubuntu1.15
released
questing
Fixed 3:5.2.4-1ubuntu2.4
released
trusty
ignored
xenial
Fixed 1.8.7-1ubuntu5.15+esm12
released
Common Weakness Enumeration
References
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2026/apr/07/security-releases/