CVE-2026-4277: Django vulnerable to privilege abuse in GenericInlineModelAdmin

April 7, 2026 (updated April 8, 2026)

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged POST data in GenericInlineModelAdmin.

Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

References

docs.djangoproject.com/en/dev/releases/security
github.com/advisories/GHSA-pwjp-ccjc-ghwg
github.com/django/django
groups.google.com/g/django-announce
nvd.nist.gov/vuln/detail/CVE-2026-4277
www.djangoproject.com/weblog/2026/apr/07/security-releases

Code Behaviors & Features

Detect and mitigate CVE-2026-4277 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →