CVE-2026-1207

Name of the Vulnerable Software and Affected Versions Django versions prior to 6.0.2 Django versions prior to 5.2.11 Django versions prior to 4.2.28 Django versions 5.0.x and earlier Django versions 4.1.x and earlier Django versions 3.2.x and earlier

Description A SQL injection flaw exists in Django’s GeoDjango RasterField implementation when used with a PostGIS backend. This issue arises from a failure to properly parameterize the raster band index during RasterField lookup processing, allowing attackers to inject arbitrary SQL queries. Attackers can exploit this by crafting malicious input to the raster band parameter. Successful exploitation could lead to arbitrary SQL execution, data theft, modification of data, authentication bypass, potential remote code execution, and disruption of services. The vulnerability affects applications using GeoDjango RasterField with PostGIS and exposing raster lookups via user input.

Recommendations Upgrade to Django version 6.0.2 or later. Upgrade to Django version 5.2.11 or later. Upgrade to Django version 4.2.28 or later. For unsupported Django series (5.0.x, 4.1.x, and 3.2.x), migrate to a supported version. Restrict access to raster endpoints. Deploy WAF rules to filter SQL injection patterns. Enforce strict input validation. Review application and database logs for anomalous raster queries and unexpected PostGIS function usage.