CVE-2026-33034
Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-33034
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-33034.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 3:4.2.30-1 |
| debian | sid | fixed | 3:4.2.30-1 |
| debian | trixie | affected | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-33034
- https://docs.djangoproject.com/en/dev/releases/security
- https://github.com/django/django
- https://groups.google.com/g/django-announce
- https://www.djangoproject.com/weblog/2026/apr/07/security-releases
- https://docs.djangoproject.com/en/dev/releases/security/
- https://www.djangoproject.com/weblog/2026/apr/07/security-releases/
- https://www.suse.com/security/cve/CVE-2026-33034.html
- https://security-tracker.debian.org/tracker/CVE-2026-33034
Verify integrity in audit chain (admin only). AS-IS.