CVE-2026-1287 Overview
CVE-2026-1287 is a SQL Injection vulnerability discovered in Django's FilteredRelation class. The vulnerability allows attackers to inject malicious SQL code through column aliases by leveraging control characters within specially crafted dictionaries. This can be exploited when dictionary expansion (**kwargs) is passed to various QuerySet methods including annotate(), aggregate(), extra(), values(), values_list(), and alias().
Critical Impact
Authenticated attackers with network access can exploit this SQL injection vulnerability to potentially read or modify sensitive database information, compromising data confidentiality and integrity.
Affected Products
- Django 6.0 before 6.0.2
- Django 5.2 before 5.2.11
- Django 4.2 before 4.2.28
Discovery Timeline
- 2026-02-03 - Vulnerability disclosed by Solomon Kebede to Django
- 2026-02-03 - Django releases security patch
- 2026-02-03 - CVE-2026-1287 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-1287
Vulnerability Analysis
This SQL injection vulnerability exists in Django's FilteredRelation class, which is used to create filtered joins in database queries. The root issue is that column aliases are not properly sanitized when processing dictionary arguments passed to QuerySet methods.
When an attacker can influence the keys of dictionaries passed to methods like annotate() or values(), they can inject control characters that break out of the expected SQL context. This allows arbitrary SQL code to be inserted into the generated queries. The attack requires the attacker to have authenticated access to the application and the ability to control dictionary keys that are expanded into QuerySet method calls.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated by the Django team and may also be affected by this vulnerability.
Root Cause
The vulnerability stems from insufficient input validation and sanitization of column alias names in the FilteredRelation class. When constructing SQL queries, Django failed to properly escape or validate control characters within dictionary keys before incorporating them into column aliases. This allows specially crafted dictionary keys containing SQL metacharacters to manipulate the structure of the generated SQL statement.
Attack Vector
The attack is network-based and requires low privileges (authenticated user access). An attacker must be able to supply a crafted dictionary that gets expanded as **kwargs to one of the vulnerable QuerySet methods. The attack involves:
- Constructing a dictionary with keys containing SQL injection payloads embedded within control characters
- Having this dictionary passed to a vulnerable method such as annotate(), aggregate(), extra(), values(), values_list(), or alias()
- The malicious SQL payload executes within the context of the database query
The vulnerability can be exploited through any application endpoint that allows user-controlled input to influence QuerySet method parameters. The attack does not require user interaction beyond the initial authenticated request.
Detection Methods for CVE-2026-1287
Indicators of Compromise
- Unusual SQL query patterns in database logs containing control characters in column aliases
- Error messages indicating malformed SQL queries from Django ORM operations
- Unexpected database query results or data modifications
- Application errors related to FilteredRelation or QuerySet annotation methods
Detection Strategies
- Monitor web application logs for requests containing unusual control characters in parameters
- Implement database activity monitoring to detect anomalous query patterns
- Review application code for dynamic dictionary construction passed to QuerySet methods
- Deploy web application firewalls with rules to detect SQL injection patterns in JSON/dictionary inputs
Monitoring Recommendations
- Enable Django's database query logging to capture all generated SQL statements
- Configure alerting on database errors related to syntax violations in ORM-generated queries
- Monitor for unusual data access patterns that could indicate successful SQL injection
- Implement real-time log analysis for suspicious parameter values in authenticated sessions
How to Mitigate CVE-2026-1287
Immediate Actions Required
- Upgrade Django to patched versions: 6.0.2, 5.2.11, or 4.2.28 immediately
- Audit application code for any user-controlled dictionary expansion in QuerySet methods
- Implement input validation for any parameters that influence query annotations or aliases
- Review database access logs for signs of exploitation attempts
Patch Information
Django has released security patches addressing this vulnerability. Upgrade to the following versions based on your Django series:
| Current Version | Patched Version |
|---|---|
| Django 6.0.x | 6.0.2 |
| Django 5.2.x | 5.2.11 |
| Django 4.2.x | 4.2.28 |
For detailed patch information, refer to the Django Security Release Notes and the Django Weblog Security Releases announcement.
Workarounds
- Validate and sanitize all dictionary keys before passing them to QuerySet methods
- Implement allowlists for acceptable column alias names in application code
- Avoid using user-controlled input in dictionary keys that are expanded to QuerySet methods
- Consider using parameterized queries or raw SQL with proper escaping as temporary alternatives
# Upgrade Django to patched version
pip install --upgrade Django>=6.0.2
# Verify installed version
python -c "import django; print(django.VERSION)"
# For Django 5.2.x series
pip install --upgrade 'Django>=5.2.11,<6.0'
# For Django 4.2.x series (LTS)
pip install --upgrade 'Django>=4.2.28,<5.0'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
