Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-4292

Опубликовано: 07 апр. 2026
Источник: redhat
CVSS3: 5.3

Описание

A flaw was found in Django. Admin changelist forms utilizing ModelAdmin.list_editable were susceptible to improper access control. A remote attacker could exploit this by sending forged POST data, leading to the unauthorized creation of new instances within the application.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 2automation-controllerFix deferred
Red Hat Ansible Automation Platform 2redhat-user-workloads/automation-reportsFix deferred
Red Hat Ansible Automation Platform 2redhat-user-workloads/controller-rhel9Fix deferred
Red Hat Ansible Automation Platform 2redhat-user-workloads/eda-controller-rhel9Fix deferred
Red Hat Ansible Automation Platform 2redhat-user-workloads/gateway-rhel9Fix deferred
Red Hat Ansible Automation Platform 2redhat-user-workloads/hub-rhel9Fix deferred
Red Hat Ansible Automation Platform 2redhat-user-workloads/lightspeed-rhel8Fix deferred
Red Hat Ansible Automation Platform 2redhat-user-workloads/lightspeed-rhel9Fix deferred
Red Hat Ansible Automation Platform 2redhat-user-workloads/metrics-service-rhel9Fix deferred
Red Hat Discovery 2redhat-user-workloads/discovery-serverFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-472
https://bugzilla.redhat.com/show_bug.cgi?id=2455941Django: Django: Unauthorized instance creation via forged POST data in Admin changelist forms

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2026-4292

CVSS3: 2.7
ubuntu
3 дня назад

Privilege abuse in ModelAdmin.list_editable

nvd логотип

CVE-2026-4292

CVSS3: 2.7
nvd
3 дня назад

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

debian логотип

CVE-2026-4292

CVSS3: 2.7
debian
3 дня назад

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4. ...

github логотип

GHSA-mmwr-2jhp-mc7j

CVSS3: 2.7
github
3 дня назад

Django vulnerable to privilege abuse in ModelAdmin.list_editable

5.3 Medium

CVSS3