Medium severity5.3GHSA Advisory· Published May 5, 2026· Updated May 7, 2026

CVE-2026-5766

Description

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading large files into memory and causing service degradation.

As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on FILE_UPLOAD_MAX_MEMORY_SIZE. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue.

Affected products

Djangoproject/DjangoGHSA2 versions
>= 5.2, < 5.2.14+ 1 more
- (no CPE)range: >= 5.2, < 5.2.14
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*range: >=5.2,<5.2.14

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

docs.djangoproject.com/en/dev/releases/security/nvdVendor Advisory
github.com/advisories/GHSA-w26r-rmm8-9c29ghsaADVISORY
groups.google.com/g/django-announcenvdThird Party Advisory
www.djangoproject.com/weblog/2026/may/05/security-releases/nvdVendor Advisory
docs.djangoproject.com/en/dev/releases/securityghsa
nvd.nist.gov/vuln/detail/CVE-2026-5766ghsa
www.djangoproject.com/weblog/2026/may/05/security-releasesghsa

News mentions

How AI Assistants are Moving the Security Goalposts
Krebs on Security · Mar 8, 2026

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000