Potential SQL injection via QuerySet.order_by and FilteredRelation
Summary
| CVE | CVE-2026-1312 |
|---|---|
| State | PUBLISHED |
| Assigner | DSF |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-02-03 15:16:13 UTC |
| Updated | 2026-06-30 03:17:16 UTC |
| Description | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. |
Risk And Classification
Primary CVSS: v3.1 5.4 MEDIUM from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Problem Types: CWE-89 | CWE-89 CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| 3.1 | ADP | CVSS | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Djangoproject | Django | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Djangoproject | Django | affected 6.0 6.0.2 semver | Not specified |
| CNA | Djangoproject | Django | unaffected 6.0.2 semver | Not specified |
| CNA | Djangoproject | Django | affected 5.2 5.2.11 semver | Not specified |
| CNA | Djangoproject | Django | unaffected 5.2.11 semver | Not specified |
| CNA | Djangoproject | Django | affected 4.2 4.2.28 semver | Not specified |
| CNA | Djangoproject | Django | unaffected 4.2.28 semver | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.5 For RHEL 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6.16 For RHEL 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.5 For RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.6 For RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6.16 For RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6.17 For RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6.18 For RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.5 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Discovery 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6.18 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Update Infrastructure 4 For Cloud Providers | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.6 For RHEL 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 16.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 17.1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 18.0 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:5970 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14835 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3960 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3962 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3958 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-1312 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| groups.google.com/g/django-announce | 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | groups.google.com | Release Notes |
| docs.djangoproject.com/en/dev/releases/security | 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | docs.djangoproject.com | Patch, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:2694 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| www.djangoproject.com/weblog/2026/feb/03/security-releases | 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | www.djangoproject.com | Patch, Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1312.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6291 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:5971 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3959 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Solomon Kebede (en)
CNA: Jacob Walls (en)
CNA: Jacob Walls (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-01-12T18:00:00.000Z | Initial report received. |
| CNA | 2026-01-26T18:00:00.000Z | Vulnerability confirmed. |
| CNA | 2026-02-03T08:00:00.000Z | Security release issued. |
| ADP | 2026-02-03T15:01:18.274Z | Reported to Red Hat. |
| ADP | 2026-02-03T14:36:23.257Z | Made public. |
Solutions
ADP: RHSA-2026:3959: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9
ADP: RHSA-2026:5971: Red Hat Satellite 6.16 for RHEL 8, Red Hat Satellite 6.16 for RHEL 9
ADP: RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9
ADP: RHSA-2026:5970: Red Hat Satellite 6.17 for RHEL 9
ADP: RHSA-2026:14835: Red Hat Satellite 6.18 for RHEL 9
ADP: RHSA-2026:3962: Red Hat Ansible Automation Platform 2.5
ADP: RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6
ADP: RHSA-2026:2694: Red Hat Discovery 2
ADP: RHSA-2026:6291: Red Hat Satellite 6.18
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.