{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4292", "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "state": "PUBLISHED", "assignerShortName": "DSF", "dateReserved": "2026-03-16T16:58:02.592Z", "datePublished": "2026-04-07T14:22:38.254Z", "dateUpdated": "2026-04-07T15:12:56.065Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "shortName": "DSF", "dateUpdated": "2026-04-07T14:22:38.254Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122: Privilege Abuse"}]}], "title": "Privilege abuse in ModelAdmin.list_editable", "metrics": [{"other": {"content": {"value": "low", "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels"}, "type": "Django severity rating"}}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\r\ninstances to be created via forged `POST` data.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.</p><p>Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new</p><p>instances to be created via forged `POST` data.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank Cantina for reporting this issue.</p>"}]}], "affected": [{"collectionURL": "https://pypi.org/project/Django/", "defaultStatus": "unaffected", "packageName": "django", "product": "Django", "repo": "https://github.com/django/django/", "vendor": "djangoproject", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.0.4", "versionType": "semver"}, {"status": "unaffected", "version": "6.0.4", "versionType": "semver"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.2.13", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.30", "versionType": "semver"}, {"status": "unaffected", "version": "4.2.30", "versionType": "semver"}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "name": "Django security archive", "tags": ["vendor-advisory"]}, {"url": "https://groups.google.com/g/django-announce", "name": "Django releases announcements", "tags": ["mailing-list"]}, {"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/", "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "type": "reporter", "value": "Cantina"}, {"lang": "en", "type": "remediation developer", "value": "Jacob Walls"}, {"lang": "en", "type": "coordinator", "value": "Jacob Walls"}], "timeline": [{"lang": "en", "time": "2026-03-11T12:00:00.000Z", "value": "Initial report received."}, {"lang": "en", "time": "2026-03-16T12:00:00.000Z", "value": "Vulnerability confirmed."}, {"lang": "en", "time": "2026-04-07T09:00:00.000Z", "value": "Security release issued."}], "datePublic": "2026-04-07T09:00:00.000Z", "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:12:50.786633Z", "id": "CVE-2026-4292", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:12:56.065Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4292", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T15:12:50.786633Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:12:42.904Z"}}], "cna": {"title": "Privilege abuse in ModelAdmin.list_editable", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Cantina"}, {"lang": "en", "type": "remediation developer", "value": "Jacob Walls"}, {"lang": "en", "type": "coordinator", "value": "Jacob Walls"}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122: Privilege Abuse"}]}], "metrics": [{"other": {"type": "Django severity rating", "content": {"value": "low", "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels"}}}], "affected": [{"repo": "https://github.com/django/django/", "vendor": "djangoproject", "product": "Django", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.0.4", "versionType": "semver"}, {"status": "unaffected", "version": "6.0.4", "versionType": "semver"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.2.13", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.30", "versionType": "semver"}, {"status": "unaffected", "version": "4.2.30", "versionType": "semver"}], "packageName": "django", "collectionURL": "https://pypi.org/project/Django/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-11T12:00:00.000Z", "value": "Initial report received."}, {"lang": "en", "time": "2026-03-16T12:00:00.000Z", "value": "Vulnerability confirmed."}, {"lang": "en", "time": "2026-04-07T09:00:00.000Z", "value": "Security release issued."}], "datePublic": "2026-04-07T09:00:00.000Z", "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "name": "Django security archive", "tags": ["vendor-advisory"]}, {"url": "https://groups.google.com/g/django-announce", "name": "Django releases announcements", "tags": ["mailing-list"]}, {"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/", "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\r\ninstances to be created via forged `POST` data.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue.", "supportingMedia": [{"type": "text/html", "value": "<p>An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.</p><p>Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new</p><p>instances to be created via forged `POST` data.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank Cantina for reporting this issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "shortName": "DSF", "dateUpdated": "2026-04-07T14:22:38.254Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4292", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:12:56.065Z", "dateReserved": "2026-03-16T16:58:02.592Z", "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "datePublished": "2026-04-07T14:22:38.254Z", "assignerShortName": "DSF"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "C78D8198-229F-45A2-B09D-C1D272878E3E", "versionEndExcluding": "4.2.30", "versionStartIncluding": "4.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "5ED295FD-7063-40A1-9A3E-C0CC4D6F7BD3", "versionEndExcluding": "5.2.13", "versionStartIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "344A677E-BD67-42F0-9746-5B0D4C53815E", "versionEndExcluding": "6.0.4", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\r\ninstances to be created via forged `POST` data.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue."}], "id": "CVE-2026-4292", "lastModified": "2026-04-13T17:34:48.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T15:17:46.650", "references": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Patch", "Vendor Advisory"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Release Notes"], "url": "https://groups.google.com/g/django-announce"}, {"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"}], "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary"}]}

{"bugzilla": {"description": "Django: Django: Unauthorized instance creation via forged POST data in Admin changelist forms", "id": "2455941", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455941"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-472", "details": ["A flaw was found in Django. Admin changelist forms utilizing `ModelAdmin.list_editable` were susceptible to improper access control. A remote attacker could exploit this by sending forged `POST` data, leading to the unauthorized creation of new instances within the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-4292", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/automation-reports", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/eda-controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/hub-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/metrics-service-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:discovery:2::el9", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/discovery-server", "product_name": "Red Hat Discovery 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/iop-advisor-backend-sat-6-18", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-04-07T14:22:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4292\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4292\nhttps://docs.djangoproject.com/en/dev/releases/security/\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2026/apr/07/security-releases/"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0,6.0.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "6.0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.2,5.2.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "5.2.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.2,4.2.30)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "4.2.30"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Django", "source": "cna", "vendor": "djangoproject"}, "product": "django", "vendor": "djangoproject"}], "analysis": {"en": {"generated_at": "2026-04-13T18:25:29.089158+00:00", "value": {"mitigation_remediation": ["Upgrade to Django 6.0.4 or later, 5.2.13 or later, or 4.2.30 or later.", "If an upgrade is not immediately possible, restrict or disable the use of ModelAdmin.list_editable in the admin interface.", "Ensure that only users with the appropriate permissions can access admin changelist forms.", "Monitor incoming admin POST requests for unexpected object creation attempts."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Django projects running versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30 are impacted. Earlier unsupported series, such as 5.0.x, 4.1.x, and 3.2.x, might also be affected.", "description_and_impact": "An admin changelist form that uses ModelAdmin.list_editable incorrectly admits forged POST data, permitting unauthenticated or improperly authorized users to create new model instances. The issue allows the creation of arbitrary objects in the database without the intended permission checks, enabling attackers to insert data that may grant elevated privileges or disrupt application logic.", "risk_and_exploitability": "The CVSS base score is 2.7 and the EPSS score is below 1%, indicating a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack requires access to the Django admin changelist pages and the ability to submit forged POST requests, making it most likely to be leveraged by authenticated staff users or individuals able to craft malicious administrative requests."}}}}, "created": "2026-04-08T19:37:35.030944+00:00", "updated": "2026-04-14T16:40:56.915496+00:00", "vendors": ["djangoproject", "djangoproject$PRODUCT$django"]}