An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
"}],"value":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue."}],"impacts":[{"capecId":"CAPEC-151","descriptions":[{"lang":"en","value":"CAPEC-151: Identity Spoofing"}]}],"metrics":[{"other":{"content":{"namespace":"https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels","value":"low"},"type":"Django severity rating"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-290","description":"CWE-290: Authentication Bypass by Spoofing","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-07T14:22:07.190Z","orgId":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","shortName":"DSF"},"references":[{"name":"Django security archive","tags":["vendor-advisory"],"url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"name":"Django releases announcements","tags":["mailing-list"],"url":"https://groups.google.com/g/django-announce"},{"name":"Django security releases issued: 6.0.4, 5.2.13, and 4.2.30","tags":["vendor-advisory"],"url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"}],"source":{"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2025-12-23T12:00:00.000Z","value":"Initial report received."},{"lang":"en","time":"2026-03-10T12:00:00.000Z","value":"Vulnerability confirmed."},{"lang":"en","time":"2026-04-07T09:00:00.000Z","value":"Security release issued."}],"title":"ASGI header spoofing via underscore/hyphen conflation","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92","assignerShortName":"DSF","cveId":"CVE-2026-3902","datePublished":"2026-04-07T14:22:07.190Z","dateReserved":"2026-03-10T18:33:26.472Z","dateUpdated":"2026-04-07T16:14:07.198Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-07 15:17:46","lastModifiedDate":"2026-04-07 17:16:37","problem_types":["CWE-290","CWE-290 CWE-290: Authentication Bypass by Spoofing"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"3902","Ordinal":"1","Title":"ASGI header spoofing via underscore/hyphen conflation","CVE":"CVE-2026-3902","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"3902","Ordinal":"1","NoteData":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\n`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.","Type":"Description","Title":"ASGI header spoofing via underscore/hyphen conflation"}]}}}