From 397c22048244db2cd4bb78f570e6c72a3967bf36 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Mon, 16 Mar 2026 18:05:22 -0400 Subject: [5.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable. Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main. --- docs/releases/4.2.30.txt | 10 ++++++++++ docs/releases/5.2.13.txt | 10 ++++++++++ 2 files changed, 20 insertions(+) (limited to 'docs') diff --git a/docs/releases/4.2.30.txt b/docs/releases/4.2.30.txt index a6d2deef3c..de19a6f08f 100644 --- a/docs/releases/4.2.30.txt +++ b/docs/releases/4.2.30.txt @@ -36,3 +36,13 @@ forged ``POST`` data in This issue has severity "low" according to the :ref:`Django security policy `. + +CVE-2026-4292: Privilege abuse in ``ModelAdmin.list_editable`` +============================================================== + +Admin changelist forms using +:attr:`~django.contrib.admin.ModelAdmin.list_editable` incorrectly allowed new +instances to be created via forged ``POST`` data. + +This issue has severity "low" according to the :ref:`Django security policy +`. diff --git a/docs/releases/5.2.13.txt b/docs/releases/5.2.13.txt index 8b03103508..8b303f2700 100644 --- a/docs/releases/5.2.13.txt +++ b/docs/releases/5.2.13.txt @@ -36,3 +36,13 @@ forged ``POST`` data in This issue has severity "low" according to the :ref:`Django security policy `. + +CVE-2026-4292: Privilege abuse in ``ModelAdmin.list_editable`` +============================================================== + +Admin changelist forms using +:attr:`~django.contrib.admin.ModelAdmin.list_editable` incorrectly allowed new +instances to be created via forged ``POST`` data. + +This issue has severity "low" according to the :ref:`Django security policy +`. -- cgit v1.3