Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.
Problem types
CWE-862: Missing Authorization
Product status
6.0 (semver) before 6.0.4
6.0.4 (semver)
5.2 (semver) before 5.2.13
5.2.13 (semver)
4.2 (semver) before 4.2.30
4.2.30 (semver)
Timeline
| 2026-03-07: | Initial report received. |
| 2026-03-16: | Vulnerability confirmed. |
| 2026-04-07: | Security release issued. |
Credits
N05ec@LZU-DSLab
Jacob Walls
Jacob Walls
References
docs.djangoproject.com/en/dev/releases/security/ (Django security archive)
groups.google.com/g/django-announce (Django releases announcements)
www.djangoproject.com/weblog/2026/apr/07/security-releases/ (Django security releases issued: 6.0.4, 5.2.13, and 4.2.30)