Medium severity5.3GHSA Advisory· Published May 5, 2026· Updated May 7, 2026
CVE-2026-5766
CVE-2026-5766
Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 6.0, < 6.0.5 | 6.0.5 |
DjangoPyPI | >= 5.2, < 5.2.14 | 5.2.14 |
Affected products
17>= 5.2, < 5.2.14+ 1 more
- (no CPE)range: >= 5.2, < 5.2.14
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*range: >=5.2,<5.2.14
- osv-coords15 versionspkg:apk/chainguard/authentik-2025.12pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2025.12pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/py3.12-djangopkg:apk/chainguard/py3.13-djangopkg:apk/chainguard/py3-djangopkg:apk/wolfi/py3.12-djangopkg:apk/wolfi/py3.13-djangopkg:apk/wolfi/py3-djangopkg:bitnami/djangopkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweed
< 2025.12.4-r9+ 14 more
- (no CPE)range: < 2025.12.4-r9
- (no CPE)range: < 2026.2.1-r9
- (no CPE)range: < 2025.12.4-r7
- (no CPE)range: < 2026.2.1-r7
- (no CPE)range: < 6.0.5-r0
- (no CPE)range: < 6.0.5-r0
- (no CPE)range: < 6.0.5-r0
- (no CPE)range: < 6.0.5-r0
- (no CPE)range: < 6.0.5-r0
- (no CPE)range: < 6.0.5-r0
- (no CPE)range: >= 5.2.0, < 5.2.14
- (no CPE)range: >= 6.0, < 6.0.5
- (no CPE)range: < 4.2.30-2.1
- (no CPE)range: < 6.0.5-1.1
- (no CPE)range: < 5.2.14-1.1
Patches
Vulnerability mechanics
References
8- docs.djangoproject.com/en/dev/releases/security/nvdVendor Advisory
- github.com/advisories/GHSA-w26r-rmm8-9c29ghsaADVISORY
- groups.google.com/g/django-announcenvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-5766ghsaADVISORY
- www.djangoproject.com/weblog/2026/may/05/security-releases/nvdVendor Advisory
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2026-54.yamlghsaWEB
- www.djangoproject.com/weblog/2026/may/05/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.