[5.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable.

Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-03-16 18:05:22 -0400
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-04-07 07:33:08 -0400
commit: 397c22048244db2cd4bb78f570e6c72a3967bf36 (patch)
tree: e84f0cf74cabf13c9755c41f339c043f63f29805 /django
parent: 60ffa957c427e10a2eb0fc80d1674a8a8ccc30b0 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py
index 69b0cc0373..0e6b20fee7 100644
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -33,6 +33,7 @@ from django.contrib.admin.utils import (
 from django.contrib.admin.widgets import AutocompleteSelect, AutocompleteSelectMultiple
 from django.contrib.auth import get_permission_codename
 from django.core.exceptions import (
+    BadRequest,
     FieldDoesNotExist,
     FieldError,
     PermissionDenied,
@@ -2114,6 +2115,8 @@ class ModelAdmin(BaseModelAdmin):
                     for form in formset.forms:
                         if form.has_changed():
                             obj = self.save_form(request, form, change=True)
+                            if obj._state.adding:
+                                raise BadRequest("list_editable does not allow adding.")
                             self.save_model(request, obj, form, change=True)
                             self.save_related(request, form, formsets=[], change=True)
                             change_msg = self.construct_change_message(
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-03-16 18:05:22 -0400
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-04-07 07:33:08 -0400
commit	397c22048244db2cd4bb78f570e6c72a3967bf36 (patch)
tree	e84f0cf74cabf13c9755c41f339c043f63f29805 /django
parent	60ffa957c427e10a2eb0fc80d1674a8a8ccc30b0 (diff)