CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation¶

ASGIRequest normalizes header names following WSGI conventions, mapping hyphens to underscores. As a result, even in configurations where reverse proxies carefully strip security-sensitive headers named with hyphens, such a header could be spoofed by supplying a header named with underscores.

Under WSGI, it is the responsibility of the server or proxy to avoid ambiguous mappings. (Django's runserver was patched in CVE 2015-0219.) But under ASGI, there is not the same uniform expectation, even if many proxies protect against this under default configuration (including nginx via underscores_in_headers off;).

Headers containing underscores are now ignored by ASGIRequest, matching the behavior of Daphne, the reference server for ASGI.

根据 Django 安全政策，这个问题的严重性为“低”。

CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin¶

Add permissions on inline model instances were not validated on submission of forged POST data in GenericInlineModelAdmin.

根据 Django 安全政策，这个问题的严重性为“低”。

CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable¶

Admin changelist forms using list_editable incorrectly allowed new instances to be created via forged POST data.

根据 Django 安全政策，这个问题的严重性为“低”。

CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload¶

When using django.http.multipartparser.MultiPartParser, multipart uploads with Content-Transfer-Encoding: base64 that include excessive whitespace may trigger repeated memory copying, potentially degrading performance.

This issue has severity "moderate" according to the Django security policy.

CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass¶

ASGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body, potentially loading an unbounded request body into memory and causing service degradation.

根据 Django 安全政策，这个问题的严重性为“低”。

漏洞修复¶

• Fixed a regression in Django 6.0 where alogin() and alogout() did not respectively set or clear request.user if it had already been materialized (e.g., by sync middleware) (#37017).

• Fixed a regression in Django 6.0 in admin forms where RelatedFieldWidgetWrapper incorrectly wrapped all widgets in a

  (#36949).

• Fixed a bug in Django 6.0 where the fields.E348 system check did not detect name clashes between model managers and related_names for non-self-referential relationships (#36973).