CVE-2026-33034

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.29, 5.2 through 5.2.12, and 6.0 through 6.0.3

Description ASGI requests lacking or underreporting the Content-Length header may bypass the DATA UPLOAD MAX MEMORY SIZE limit when processing HttpRequest.body, potentially allowing attackers to upload an unrestricted request body into memory. Earlier, unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.

Recommendations Update to Django version 4.2.30 or later. Update to Django version 5.2.13 or later. Update to Django version 6.0.4 or later.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

BIT-DJANGO-2026-33034

CVE-2026-33034

ECHO-01AC-8821-274A

GHSA-933H-HP56-HF7M

MGASA-2026-0093

OESA-2026-2217

OESA-2026-2218

OESA-2026-2219

OESA-2026-2220

OPENSUSE-SU-2026:10516-1

OPENSUSE-SU-2026:10517-1

OPENSUSE-SU-2026:10567-1

OPENSUSE-SU-2026:20578-1

PYSEC-2026-49

USN-8154-1

Affected Products

Django

Linuxmint

Red Os

Ubuntu

CVE-2026-33034

Weakness Enumeration

Related Identifiers

Affected Products

References · 57