{"api_version":"1","generated_at":"2026-04-07T22:33:41+00:00","cve":"CVE-2026-33034","urls":{"html":"https://cve.report/CVE-2026-33034","api":"https://cve.report/api/cve/CVE-2026-33034.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-33034","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-33034"},"summary":{"title":"Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass","description":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\r\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\r\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\r\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue.","state":"PUBLISHED","assigner":"DSF","published_at":"2026-04-07 15:17:39","updated_at":"2026-04-07 21:17:17"},"problem_types":["CWE-770","CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://groups.google.com/g/django-announce","name":"https://groups.google.com/g/django-announce","refsource":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://docs.djangoproject.com/en/dev/releases/security/","name":"https://docs.djangoproject.com/en/dev/releases/security/","refsource":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/","name":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/","refsource":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33034","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33034","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"djangoproject","product":"Django","version":"affected 6.0 6.0.4 semver","platforms":[]},{"source":"CNA","vendor":"djangoproject","product":"Django","version":"unaffected 6.0.4 semver","platforms":[]},{"source":"CNA","vendor":"djangoproject","product":"Django","version":"affected 5.2 5.2.13 semver","platforms":[]},{"source":"CNA","vendor":"djangoproject","product":"Django","version":"unaffected 5.2.13 semver","platforms":[]},{"source":"CNA","vendor":"djangoproject","product":"Django","version":"affected 4.2 4.2.30 semver","platforms":[]},{"source":"CNA","vendor":"djangoproject","product":"Django","version":"unaffected 4.2.30 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-02-24T12:00:00.000Z","lang":"en","value":"Initial report received."},{"source":"CNA","time":"2026-03-17T12:00:00.000Z","lang":"en","value":"Vulnerability confirmed."},{"source":"CNA","time":"2026-04-07T09:00:00.000Z","lang":"en","value":"Security release issued."}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Superior","lang":"en"},{"source":"CNA","value":"Natalia Bidart","lang":"en"},{"source":"CNA","value":"Jacob Walls","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-33034","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-07T20:43:43.119514Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-07T20:44:01.819Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://pypi.org/project/Django/","defaultStatus":"unaffected","packageName":"django","product":"Django","repo":"https://github.com/django/django/","vendor":"djangoproject","versions":[{"lessThan":"6.0.4","status":"affected","version":"6.0","versionType":"semver"},{"status":"unaffected","version":"6.0.4","versionType":"semver"},{"lessThan":"5.2.13","status":"affected","version":"5.2","versionType":"semver"},{"status":"unaffected","version":"5.2.13","versionType":"semver"},{"lessThan":"4.2.30","status":"affected","version":"4.2","versionType":"semver"},{"status":"unaffected","version":"4.2.30","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"Superior"},{"lang":"en","type":"remediation developer","value":"Natalia Bidart"},{"lang":"en","type":"coordinator","value":"Jacob Walls"}],"datePublic":"2026-04-07T09:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.</p><p>ASGI requests with a missing or understated `Content-Length` header could</p><p>bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading</p><p>`HttpRequest.body`, allowing remote attackers to load an unbounded request body into</p><p>memory.</p><p>Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.</p><p>Django would like to thank Superior for reporting this issue.</p>"}],"value":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\r\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\r\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\r\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue."}],"impacts":[{"capecId":"CAPEC-130","descriptions":[{"lang":"en","value":"CAPEC-130: Excessive Allocation"}]}],"metrics":[{"other":{"content":{"namespace":"https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels","value":"low"},"type":"Django severity rating"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"CWE-770: Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-07T14:22:59.942Z","orgId":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","shortName":"DSF"},"references":[{"name":"Django security archive","tags":["vendor-advisory"],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"name":"Django releases announcements","tags":["mailing-list"],"url":"https://groups.google.com/g/django-announce"},{"name":"Django security releases issued: 6.0.4, 5.2.13, and 4.2.30","tags":["vendor-advisory"],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"}],"source":{"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2026-02-24T12:00:00.000Z","value":"Initial report received."},{"lang":"en","time":"2026-03-17T12:00:00.000Z","value":"Vulnerability confirmed."},{"lang":"en","time":"2026-04-07T09:00:00.000Z","value":"Security release issued."}],"title":"Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","assignerShortName":"DSF","cveId":"CVE-2026-33034","datePublished":"2026-04-07T14:22:59.942Z","dateReserved":"2026-03-17T17:36:23.992Z","dateUpdated":"2026-04-07T20:44:01.819Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-07 15:17:39","lastModifiedDate":"2026-04-07 21:17:17","problem_types":["CWE-770","CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"33034","Ordinal":"1","Title":"Potential denial-of-service vulnerability in ASGI requests via m","CVE":"CVE-2026-33034","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"33034","Ordinal":"1","NoteData":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\r\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\r\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\r\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue.","Type":"Description","Title":"Potential denial-of-service vulnerability in ASGI requests via m"}]}}}