CVE-2026-3902 (GCVE-0-2026-3902)
Vulnerability from cvelistv5
Published
2026-04-07 14:22
Modified
2026-04-07 16:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-290 - Authentication Bypass by Spoofing
Summary
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Version: 6.0 ≤ Version: 5.2 ≤ Version: 4.2 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T16:14:03.870418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:14:07.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "6.0.4",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "6.0.4",
"versionType": "semver"
},
{
"lessThan": "5.2.13",
"status": "affected",
"version": "5.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.2.13",
"versionType": "semver"
},
{
"lessThan": "4.2.30",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.30",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Tarek Nakkouch"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jacob Walls"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jacob Walls"
}
],
"datePublic": "2026-04-07T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003e`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Tarek Nakkouch for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-151",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-151: Identity Spoofing"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "low"
},
"type": "Django severity rating"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:22:07.190Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-12-23T12:00:00.000Z",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2026-03-10T12:00:00.000Z",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2026-04-07T09:00:00.000Z",
"value": "Security release issued."
}
],
"title": "ASGI header spoofing via underscore/hyphen conflation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2026-3902",
"datePublished": "2026-04-07T14:22:07.190Z",
"dateReserved": "2026-03-10T18:33:26.472Z",
"dateUpdated": "2026-04-07T16:14:07.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3902\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-07T16:14:03.870418Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-07T16:13:58.332Z\"}}], \"cna\": {\"title\": \"ASGI header spoofing via underscore/hyphen conflation\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Tarek Nakkouch\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Jacob Walls\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"Jacob Walls\"}], \"impacts\": [{\"capecId\": \"CAPEC-151\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-151: Identity Spoofing\"}]}], \"metrics\": [{\"other\": {\"type\": \"Django severity rating\", \"content\": {\"value\": \"low\", \"namespace\": \"https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels\"}}}], \"affected\": [{\"repo\": \"https://github.com/django/django/\", \"vendor\": \"djangoproject\", \"product\": \"Django\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"6.0.4\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.0.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.2\", \"lessThan\": \"5.2.13\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.2.13\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.2\", \"lessThan\": \"4.2.30\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.2.30\", \"versionType\": \"semver\"}], \"packageName\": \"django\", \"collectionURL\": \"https://pypi.org/project/Django/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-12-23T12:00:00.000Z\", \"value\": \"Initial report received.\"}, {\"lang\": \"en\", \"time\": \"2026-03-10T12:00:00.000Z\", \"value\": \"Vulnerability confirmed.\"}, {\"lang\": \"en\", \"time\": \"2026-04-07T09:00:00.000Z\", \"value\": \"Security release issued.\"}], \"datePublic\": \"2026-04-07T09:00:00.000Z\", \"references\": [{\"url\": \"https://docs.djangoproject.com/en/dev/releases/security/\", \"name\": \"Django security archive\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://groups.google.com/g/django-announce\", \"name\": \"Django releases announcements\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/\", \"name\": \"Django security releases issued: 6.0.4, 5.2.13, and 4.2.30\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\\nDjango would like to thank Tarek Nakkouch for reporting this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003e`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Tarek Nakkouch for reporting this issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290: Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"shortName\": \"DSF\", \"dateUpdated\": \"2026-04-07T14:22:07.190Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-3902\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-07T16:14:07.198Z\", \"dateReserved\": \"2026-03-10T18:33:26.472Z\", \"assignerOrgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"datePublished\": \"2026-04-07T14:22:07.190Z\", \"assignerShortName\": \"DSF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…