Skip to main content

Python CVE-2026-3902

| EUVDEUVD-2026-19686 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-04-07 DSF GHSA-mvfq-ggxm-9mc5
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 07, 2026 - 21:31 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 15:00 euvd
EUVD-2026-19686
Analysis Generated
Apr 07, 2026 - 15:00 vuln.today
CVE Published
Apr 07, 2026 - 14:22 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 pypi packages depend on django (16 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.0.

DescriptionCVE.org

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGIRequest allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

AnalysisAI

Header spoofing in Django 4.2 through 6.0 allows remote attackers to bypass security controls by exploiting ambiguous ASGI header normalization. The ASGIRequest handler incorrectly maps both hyphenated and underscored header variants to the same underscored version, enabling attackers to send conflicting headers where the malicious version overwrites legitimate security headers. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. No public exploit identified at time of analysis. EPSS data not available, but the unauthenticated network attack vector and high integrity impact warrant immediate patching.

Technical ContextAI

This vulnerability resides in Django's ASGI (Asynchronous Server Gateway Interface) request handling implementation. ASGI is Django's interface specification for asynchronous web servers and applications, the successor to WSGI. The flaw stems from improper HTTP header normalization where ASGIRequest converts both hyphenated header names (HTTP standard format like X-Forwarded-For) and underscored variants (X_Forwarded_For) to the same underscored Python dictionary key. This ambiguous mapping creates CWE-290 (Authentication Bypass by Spoofing) conditions because attackers can send duplicate headers with different naming conventions, causing the framework to process them inconsistently. Security-critical headers like X-Forwarded-Host, X-Forwarded-Proto, or authentication tokens become vulnerable to replacement attacks where malicious underscored versions override legitimate hyphenated versions or vice versa, depending on processing order. This affects all ASGI deployment configurations of Django, particularly those behind reverse proxies that rely on forwarded headers for authentication decisions, IP allowlisting, or protocol enforcement.

RemediationAI

Immediately upgrade to patched Django versions: 6.0.4 for the 6.0 series, 5.2.13 for the 5.2 series, or 4.2.30 for the 4.2 long-term support branch. These versions contain fixes for the ASGIRequest header normalization vulnerability. Users of unsupported Django versions (5.0.x, 4.1.x, 3.2.x and earlier) should prioritize migration to a supported LTS release (currently 4.2.30 or newer) as no security patches will be issued for end-of-life branches. In environments where immediate patching is not feasible, implement defense-in-depth controls including strict validation of forwarded headers at the reverse proxy layer, use of allowlists for acceptable header values, and avoid trusting client-controllable headers for authentication or authorization decisions. Review application code for dependencies on X-Forwarded-* headers and similar proxy-forwarded values. Complete remediation guidance and release notes are available at https://docs.djangoproject.com/en/dev/releases/security/ and https://www.djangoproject.com/weblog/2026/apr/07/security-releases/.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed

Share

CVE-2026-3902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy