CVE-2026-5766

MEDIUM

Django ASGI File Upload - Memory Limit Bypass DoS

Title source: manual
STIX 2.1

Description

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.

References (3)

Core 3
Core References
Vendor Advisory vendor-advisory
Django security archive
https://docs.djangoproject.com/en/dev/releases/security/
Mailing List mailing-list
Django releases announcements
https://groups.google.com/g/django-announce
Vendor Advisory vendor-advisory
Django security releases issued: 6.0.5 and 5.2.14
https://www.djangoproject.com/weblog/2026/may/05/security-releases/

Scores

CVSS v3 5.3
EPSS 0.0005
EPSS Percentile 16.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-130
Status published
Products (7)
djangoproject/Django 5.2 - 5.2.14
djangoproject/django 5.2 - 5.2.14
djangoproject/Django 5.2.14
djangoproject/Django 6.0 - 6.0.5
djangoproject/Django 6.0.5
pypi/Django 5.2 - 5.2.14PyPI
pypi/Django 6.0 - 6.0.5PyPI
Published May 05, 2026
Tracked Since May 05, 2026