{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3902", "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "state": "PUBLISHED", "assignerShortName": "DSF", "dateReserved": "2026-03-10T18:33:26.472Z", "datePublished": "2026-04-07T14:22:07.190Z", "dateUpdated": "2026-04-07T16:14:07.198Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "shortName": "DSF", "dateUpdated": "2026-04-07T14:22:07.190Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-151", "descriptions": [{"lang": "en", "value": "CAPEC-151: Identity Spoofing"}]}], "title": "ASGI header spoofing via underscore/hyphen conflation", "metrics": [{"other": {"content": {"value": "low", "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels"}, "type": "Django severity rating"}}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.</p><p>`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank Tarek Nakkouch for reporting this issue.</p>"}]}], "affected": [{"collectionURL": "https://pypi.org/project/Django/", "defaultStatus": "unaffected", "packageName": "django", "product": "Django", "repo": "https://github.com/django/django/", "vendor": "djangoproject", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.0.4", "versionType": "semver"}, {"status": "unaffected", "version": "6.0.4", "versionType": "semver"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.2.13", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.30", "versionType": "semver"}, {"status": "unaffected", "version": "4.2.30", "versionType": "semver"}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "name": "Django security archive", "tags": ["vendor-advisory"]}, {"url": "https://groups.google.com/g/django-announce", "name": "Django releases announcements", "tags": ["mailing-list"]}, {"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/", "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "type": "reporter", "value": "Tarek Nakkouch"}, {"lang": "en", "type": "remediation developer", "value": "Jacob Walls"}, {"lang": "en", "type": "coordinator", "value": "Jacob Walls"}], "timeline": [{"lang": "en", "time": "2025-12-23T12:00:00.000Z", "value": "Initial report received."}, {"lang": "en", "time": "2026-03-10T12:00:00.000Z", "value": "Vulnerability confirmed."}, {"lang": "en", "time": "2026-04-07T09:00:00.000Z", "value": "Security release issued."}], "datePublic": "2026-04-07T09:00:00.000Z", "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T16:14:03.870418Z", "id": "CVE-2026-3902", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:14:07.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T16:14:03.870418Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:13:58.332Z"}}], "cna": {"title": "ASGI header spoofing via underscore/hyphen conflation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Tarek Nakkouch"}, {"lang": "en", "type": "remediation developer", "value": "Jacob Walls"}, {"lang": "en", "type": "coordinator", "value": "Jacob Walls"}], "impacts": [{"capecId": "CAPEC-151", "descriptions": [{"lang": "en", "value": "CAPEC-151: Identity Spoofing"}]}], "metrics": [{"other": {"type": "Django severity rating", "content": {"value": "low", "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels"}}}], "affected": [{"repo": "https://github.com/django/django/", "vendor": "djangoproject", "product": "Django", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.0.4", "versionType": "semver"}, {"status": "unaffected", "version": "6.0.4", "versionType": "semver"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.2.13", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.30", "versionType": "semver"}, {"status": "unaffected", "version": "4.2.30", "versionType": "semver"}], "packageName": "django", "collectionURL": "https://pypi.org/project/Django/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-23T12:00:00.000Z", "value": "Initial report received."}, {"lang": "en", "time": "2026-03-10T12:00:00.000Z", "value": "Vulnerability confirmed."}, {"lang": "en", "time": "2026-04-07T09:00:00.000Z", "value": "Security release issued."}], "datePublic": "2026-04-07T09:00:00.000Z", "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "name": "Django security archive", "tags": ["vendor-advisory"]}, {"url": "https://groups.google.com/g/django-announce", "name": "Django releases announcements", "tags": ["mailing-list"]}, {"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/", "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.", "supportingMedia": [{"type": "text/html", "value": "<p>An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.</p><p>`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank Tarek Nakkouch for reporting this issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "shortName": "DSF", "dateUpdated": "2026-04-07T14:22:07.190Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3902", "state": "PUBLISHED", "dateUpdated": "2026-04-07T16:14:07.198Z", "dateReserved": "2026-03-10T18:33:26.472Z", "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "datePublished": "2026-04-07T14:22:07.190Z", "assignerShortName": "DSF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."}], "id": "CVE-2026-3902", "lastModified": "2026-04-07T17:16:37.527", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T15:17:46.353", "references": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "url": "https://groups.google.com/g/django-announce"}, {"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"}], "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary"}]}

{"bugzilla": {"description": "Django: Django: Header spoofing via ambiguous header mapping", "id": "2455935", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455935"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-444", "details": ["A flaw was found in Django. A remote attacker can exploit an ambiguous mapping of header variants (with hyphens or underscores) to a single version with underscores in `ASGIRequest`. This vulnerability allows the attacker to spoof headers, potentially leading to unauthorized actions or misdirection within the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-3902", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/automation-reports", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/eda-controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/hub-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/metrics-service-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:discovery:2::el9", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/discovery-server", "product_name": "Red Hat Discovery 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/iop-advisor-backend-sat-6-18", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-04-07T14:22:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3902\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3902\nhttps://docs.djangoproject.com/en/dev/releases/security/\nhttps://github.com/django/django/commit/caf90a971f09323775ed0cacf94eadaf39d040e0\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2026/apr/07/security-releases/"], "threat_severity": "Moderate"}