7.5

CVE-2026-3902

EPSS 0.02%
Veröffentlicht 07.04.2026 14:22:07
Zuletzt bearbeitet 13.04.2026 17:38:05
Quelle 6a34fbeb-21d4-45e7-8e0a-62b95b
CVE-Watchlists
Login
Unerledigt
Login

ASGI header spoofing via underscore/hyphen conflation

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Djangoproject ≫ Django Version >= 4.2 < 4.2.30

Djangoproject ≫ Django Version >= 5.2 < 5.2.13

Djangoproject ≫ Django Version >= 6.0 < 6.0.4

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.038

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://docs.djangoproject.com/en/dev/releases/security/

Patch

Vendor Advisory

https://groups.google.com/g/django-announce

Release Notes

https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-3902

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3902

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3902

EUVD