CVE-2026-5766: Django has an Improper Handling of Length Parameter Inconsistency

May 5, 2026 (updated May 8, 2026)

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.

Django thanks Kyle Agronick for reporting this issue.

References

docs.djangoproject.com/en/dev/releases/security
github.com/advisories/GHSA-w26r-rmm8-9c29
github.com/django/django
groups.google.com/g/django-announce
nvd.nist.gov/vuln/detail/CVE-2026-5766
www.djangoproject.com/weblog/2026/may/05/security-releases

Code Behaviors & Features

Detect and mitigate CVE-2026-5766 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →