CVE-2026-3902
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation
7.5
HIGH
CVSS 3.1
EPSS 0.02%
Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
How to fix CVE-2026-3902
To remediate CVE-2026-3902, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.30 or later
- —no fix listed
- —upgrade to 6.0.4 or later
- —upgrade to 4.2.30 or later
Is CVE-2026-3902 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 4.2.0, < 4.2.30, >= 5.2.0, < 5.2.13, >= 6.0.0, < 6.0.4
- from 0
- >= 6.0, < 6.0.4
- >= 4.2, < 4.2.30, >= 5.2, < 5.2.13, >= 6.0, < 6.0.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |