CVE-2026-33034

HIGH

Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass

Title source: cna

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

References (3)

[Vendor Advisory] https://docs.djangoproject.com/en/dev/releases/security/

[Mailing List] https://groups.google.com/g/django-announce

[Vendor Advisory] https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 10.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (8)

djangoproject/Django 4.2 - 4.2.30

djangoproject/django 4.2 - 4.2.30

djangoproject/Django 4.2.30

djangoproject/Django 5.2 - 5.2.13

djangoproject/Django 5.2.13

djangoproject/Django 6.0 - 6.0.4

djangoproject/Django 6.0.4

pypi/Django 6.0 - 6.0.4PyPI

Published Apr 07, 2026

Tracked Since Apr 07, 2026