CVE-2026-5766 PUBLISHED

Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass

Assigner: DSF
Reserved: 07.04.2026 Published: 05.05.2026 Updated: 05.05.2026

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.3

Product Status

Vendor djangoproject
Product Django
Versions Default: unaffected
  • affected from 6.0 to 6.0.5 (excl.)
  • Version 6.0.5 is unaffected
  • affected from 5.2 to 5.2.14 (excl.)
  • Version 5.2.14 is unaffected

Credits

  • Kyle Agronick reporter
  • Jacob Walls remediation developer
  • Sarah Boyce coordinator

References

Problem Types

  • CWE-130: Improper Handling of Length Parameter Inconsistency CWE

Impacts

  • CAPEC-130: Excessive Allocation