Privilege abuse in GenericInlineModelAdmin

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

Affected Products

Vendor	Product	Versions
django software foundation	django	6.0, 5.2, 4.2

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
canonical	ubuntu linux	cert_advisory	90%
open source	django	cert_advisory	90%
pip	django	GHSA	85%

References

https://docs.djangoproject.com/en/dev/releases/security/(vendor-advisory)
https://groups.google.com/g/django-announce(mailing-list)
https://www.djangoproject.com/weblog/2026/apr/07/security-releases/(vendor-advisory)

Related News (3 articles)

Tier B

BSI Advisories2d ago

[NEU] [mittel] Django: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

oss-security2d ago

Django CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, and CVE-2026-33034

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-4277 | Django up to 4.2.29/5.2.12/6.0.3 GenericInlineModelAdmin authorization

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

Django@6.0.4Django@5.2.13Django@4.2.30

CWECWE-862

PublishedApr 7, 2026

Last enriched2d agov2

Trending Score46

Source articles3

Independent3

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Privilege abuse in GenericInlineModelAdmin

Description

Affected Products

Also Affects

References

Related News (3 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History