[4.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable.

Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-03-16 18:05:22 -0400
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-04-07 07:42:18 -0400
commit: abfe1a1c57a57cfaf6dd4a0571c029401a0fe743 (patch)
tree: 684c02a58479b5364ecf919250b61dc328818b09 /django
parent: 051f3909e820360bbe84a21350e82f4961e3d917 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/django/contrib/admin/options.py b/django/contrib/admin/options.py
index 1bbb302611..bb51884a83 100644
--- a/django/contrib/admin/options.py
+++ b/django/contrib/admin/options.py
@@ -30,6 +30,7 @@ from django.contrib.admin.utils import (
 from django.contrib.admin.widgets import AutocompleteSelect, AutocompleteSelectMultiple
 from django.contrib.auth import get_permission_codename
 from django.core.exceptions import (
+    BadRequest,
     FieldDoesNotExist,
     FieldError,
     PermissionDenied,
@@ -2016,6 +2017,8 @@ class ModelAdmin(BaseModelAdmin):
                     for form in formset.forms:
                         if form.has_changed():
                             obj = self.save_form(request, form, change=True)
+                            if obj._state.adding:
+                                raise BadRequest("list_editable does not allow adding.")
                             self.save_model(request, obj, form, change=True)
                             self.save_related(request, form, formsets=[], change=True)
                             change_msg = self.construct_change_message(
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-03-16 18:05:22 -0400
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-04-07 07:42:18 -0400
commit	abfe1a1c57a57cfaf6dd4a0571c029401a0fe743 (patch)
tree	684c02a58479b5364ecf919250b61dc328818b09 /django
parent	051f3909e820360bbe84a21350e82f4961e3d917 (diff)