{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4277", "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "state": "PUBLISHED", "assignerShortName": "DSF", "dateReserved": "2026-03-16T15:26:08.125Z", "datePublished": "2026-04-07T14:22:25.547Z", "dateUpdated": "2026-04-07T14:22:25.547Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "shortName": "DSF", "dateUpdated": "2026-04-07T14:22:25.547Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122: Privilege Abuse"}]}], "title": "Privilege abuse in GenericInlineModelAdmin", "metrics": [{"other": {"content": {"value": "low", "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels"}, "type": "Django severity rating"}}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdd permissions on inline model instances were not validated on submission of\r\nforged `POST` data in `GenericInlineModelAdmin`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank N05ec@LZU-DSLab for reporting this issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.</p><p>Add permissions on inline model instances were not validated on submission of</p><p>forged `POST` data in `GenericInlineModelAdmin`.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank N05ec@LZU-DSLab for reporting this issue.</p>"}]}], "affected": [{"collectionURL": "https://pypi.org/project/Django/", "defaultStatus": "unaffected", "packageName": "django", "product": "Django", "repo": "https://github.com/django/django/", "vendor": "djangoproject", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.0.4", "versionType": "semver"}, {"status": "unaffected", "version": "6.0.4", "versionType": "semver"}, {"status": "affected", "version": "5.2", "lessThan": "5.2.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.2.13", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.30", "versionType": "semver"}, {"status": "unaffected", "version": "4.2.30", "versionType": "semver"}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "name": "Django security archive", "tags": ["vendor-advisory"]}, {"url": "https://groups.google.com/g/django-announce", "name": "Django releases announcements", "tags": ["mailing-list"]}, {"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/", "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "type": "reporter", "value": "N05ec@LZU-DSLab"}, {"lang": "en", "type": "remediation developer", "value": "Jacob Walls"}, {"lang": "en", "type": "coordinator", "value": "Jacob Walls"}], "timeline": [{"lang": "en", "time": "2026-03-07T12:00:00.000Z", "value": "Initial report received."}, {"lang": "en", "time": "2026-03-16T12:00:00.000Z", "value": "Vulnerability confirmed."}, {"lang": "en", "time": "2026-04-07T09:00:00.000Z", "value": "Security release issued."}], "datePublic": "2026-04-07T09:00:00.000Z", "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdd permissions on inline model instances were not validated on submission of\r\nforged `POST` data in `GenericInlineModelAdmin`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank N05ec@LZU-DSLab for reporting this issue."}], "id": "CVE-2026-4277", "lastModified": "2026-04-07T15:17:46.500", "metrics": {}, "published": "2026-04-07T15:17:46.500", "references": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "url": "https://groups.google.com/g/django-announce"}, {"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"}], "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary"}]}

{"bugzilla": {"description": "Django: Django: Privilege Abuse via Forged POST Data in GenericInlineModelAdmin", "id": "2455939", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455939"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["A flaw was found in Django. This vulnerability allows an attacker to bypass permission validation by submitting forged `POST` data to the `GenericInlineModelAdmin` component. As a result, unauthorized inline model instances could be added, potentially leading to privilege abuse or unauthorized data manipulation within the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-4277", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/automation-reports", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/eda-controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/hub-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/metrics-service-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:discovery:2::el9", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/discovery-server", "product_name": "Red Hat Discovery 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/iop-advisor-backend-sat-6-18", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-04-07T14:22:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4277\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4277\nhttps://docs.djangoproject.com/en/dev/releases/security/\nhttps://github.com/django/django/commit/ef8b25dcc06d158683a5623ce406d561638f4073\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2026/apr/07/security-releases/"], "threat_severity": "Moderate"}