Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
Django security archive
https://docs.djangoproject.com/en/dev/releases/security/
Vendor Advisory vendor-advisory
Django security releases issued: 6.0.4, 5.2.13, and 4.2.30
https://www.djangoproject.com/weblog/2026/apr/07/security-releases/
Scores
CVSS v3
7.5
EPSS
0.0044
EPSS Percentile
34.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-290
Status
published
Products (10)
djangoproject/Django
4.2 - 4.2.30
djangoproject/django
4.2 - 4.2.30
djangoproject/Django
4.2.30
djangoproject/Django
5.2 - 5.2.13
djangoproject/Django
5.2.13
djangoproject/Django
6.0 - 6.0.4
djangoproject/Django
6.0.4
pypi/Django
4.2 - 4.2.30PyPI
pypi/Django
5.2 - 5.2.13PyPI
pypi/Django
6.0 - 6.0.4PyPI
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026