CVE-2026-3902
Publication date 7 April 2026
Last updated 8 April 2026
Ubuntu priority
Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Read the notes from the security team
Why is this CVE low priority?
Django developers have rated this as being a low severity issue
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-django | 25.10 questing |
Fixed 3:5.2.4-1ubuntu2.4
|
| 24.04 LTS noble |
Fixed 3:4.2.11-1ubuntu1.15
|
|
| 22.04 LTS jammy |
Fixed 2:3.2.12-2ubuntu1.26
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-8154-1
- Django vulnerabilities
- 7 April 2026