CVE-2026-4292 Overview
A Broken Access Control vulnerability has been discovered in Django affecting versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using ModelAdmin.list_editable incorrectly allowed new instances to be created via forged POST data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Critical Impact
Attackers with admin access can create unauthorized database objects by forging POST requests to admin changelist forms, potentially leading to data integrity issues and unauthorized data creation.
Affected Products
- Django 6.0 before 6.0.4
- Django 5.2 before 5.2.13
- Django 4.2 before 4.2.30
Discovery Timeline
- April 7, 2026 - CVE-2026-4292 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-4292
Vulnerability Analysis
This vulnerability stems from a Missing Authorization flaw (CWE-862) in Django's admin interface, specifically within the ModelAdmin.list_editable functionality. The list_editable feature allows administrators to edit multiple objects directly from the changelist page. However, the implementation failed to properly validate whether incoming POST data corresponded to existing objects or was attempting to create new instances.
When processing form submissions, the affected Django versions did not adequately verify that the submitted primary keys referenced pre-existing database records. This oversight allowed authenticated admin users (or attackers who have compromised admin credentials) to craft malicious POST requests that would result in the creation of new model instances rather than editing existing ones.
The vulnerability requires network access and high-level privileges (admin authentication), which limits the attack surface. However, in multi-tenant environments or systems where admin access is delegated, this could lead to unauthorized object creation, data pollution, or privilege escalation depending on the affected models.
Django has credited Cantina for responsibly reporting this security issue.
Root Cause
The root cause is a Missing Authorization check (CWE-862) in the ModelAdmin.list_editable form processing logic. The code path responsible for handling bulk edits on the admin changelist page failed to verify that submitted object identifiers corresponded to existing database records before processing the form data. This allowed forged POST requests containing fabricated primary keys to bypass the intended edit-only functionality and trigger object creation instead.
Attack Vector
The attack requires an authenticated administrator to submit specially crafted POST data to the Django admin changelist endpoint. An attacker would:
- Identify a ModelAdmin class configured with list_editable fields
- Craft a POST request to the corresponding admin changelist URL
- Include form data with a non-existent primary key value
- Submit the request, causing Django to create a new object instead of updating an existing one
This is a network-based attack that requires high privileges (admin authentication) but no user interaction. The attack targets data integrity by enabling unauthorized object creation through the admin interface.
For detailed technical information about the vulnerability mechanism, see the Django Security Releases Documentation and the Django Weblog Security Updates.
Detection Methods for CVE-2026-4292
Indicators of Compromise
- Unexpected new records in database tables associated with list_editable admin configurations
- Admin audit logs showing object creation events that should have been edit operations
- POST requests to admin changelist URLs containing primary key values that don't exist in the database
- Anomalous patterns of admin activity creating multiple objects through changelist forms
Detection Strategies
- Monitor Django admin access logs for unusual POST requests to changelist endpoints
- Implement database-level auditing to track unexpected INSERT operations on models with list_editable configurations
- Review admin audit trails for discrepancies between expected edit operations and actual create events
- Deploy web application firewalls (WAF) with rules to detect malformed admin form submissions
Monitoring Recommendations
- Enable Django's admin logging to track all create, update, and delete operations
- Configure alerting for new object creation through admin changelist forms
- Implement rate limiting on admin changelist POST endpoints to detect automated exploitation attempts
- Review admin user activity logs regularly for anomalous behavior patterns
How to Mitigate CVE-2026-4292
Immediate Actions Required
- Upgrade Django to patched versions: 6.0.4, 5.2.13, or 4.2.30 depending on your current series
- Audit existing data for any unauthorized objects that may have been created through this vulnerability
- Review admin access logs for suspicious activity on changelist forms with list_editable configurations
- Consider temporarily disabling list_editable on sensitive models until patches are applied
Patch Information
Django has released security patches addressing this vulnerability. Users should upgrade to the following versions:
| Current Series | Patched Version |
|---|---|
| Django 6.0.x | 6.0.4 |
| Django 5.2.x | 5.2.13 |
| Django 4.2.x | 4.2.30 |
For additional details, refer to the Django Weblog Security Updates and subscribe to the Django Announcements Group for future security notifications.
Workarounds
- Remove list_editable from ModelAdmin configurations for sensitive models until patches can be applied
- Implement custom ModelAdmin.save_model() override to validate that edited objects already exist
- Restrict admin access to trusted IP addresses using firewall rules or Django middleware
- Enable additional authentication factors for admin access to reduce the risk of credential compromise
# Upgrade Django to patched version
pip install --upgrade Django>=6.0.4
# Verify installed version
python -c "import django; print(django.get_version())"
# Alternative: Pin to specific patched version in requirements.txt
echo "Django==6.0.4" >> requirements.txt
pip install -r requirements.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
