CVE-2026-33034: Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit

April 7, 2026 (updated April 8, 2026)

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into memory.

Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

References

docs.djangoproject.com/en/dev/releases/security
github.com/advisories/GHSA-933h-hp56-hf7m
github.com/django/django
groups.google.com/g/django-announce
nvd.nist.gov/vuln/detail/CVE-2026-33034
www.djangoproject.com/weblog/2026/apr/07/security-releases

Code Behaviors & Features

Detect and mitigate CVE-2026-33034 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →