CVE-2026-4292

CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable

Vendor Djangoproject

Product Django

Weakness CWE-862 · Missing authorization

Published April 7, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Key dates

02Disclosure timeline

April 7, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-4292 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-14608 WP Last Modified Info <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification CVE-2026-41454 WeKan < 8.35 Missing Authorization via Integration REST API CVE-2024-1717 Admin Notices Manager <= 1.4.0 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval CVE-2025-48108 WordPress School Management Plugin <= 93.2.0 - Broken Access Control Vulnerability CVE-2025-23929 WordPress Email Capture & Lead Generation Plugin <= 1.0.2 - Broken Access Control vulnerability

Identifiers

CVE CVE-2026-4292

CWE CWE-862

Affected versions

Vendor Djangoproject

Product Django

Affected ≥ 6.0 and < 6.0.4

Vendor Djangoproject

Product Django

Affected ≥ 5.2 and < 5.2.13

Vendor Djangoproject

Product Django

Affected ≥ 4.2 and < 4.2.30