Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.

Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart
for reviews.

3 files changed, 60 insertions, 0 deletions

diff --git a/docs/releases/4.2.30.txt b/docs/releases/4.2.30.txt
index a2679c7736..30ffd4eb9d 100644
--- a/docs/releases/4.2.30.txt
+++ b/docs/releases/4.2.30.txt
@@ -6,3 +6,23 @@ Django 4.2.30 release notes
 
 Django 4.2.30 fixes one security issue with severity "moderate" and four
 security issues with severity "low" in 4.2.29.
+
+CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
+====================================================================
+
+``ASGIRequest`` normalizes header names following WSGI conventions, mapping
+hyphens to underscores. As a result, even in configurations where reverse
+proxies carefully strip security-sensitive headers named with hyphens, such a
+header could be spoofed by supplying a header named with underscores.
+
+Under WSGI, it is the responsibility of the server or proxy to avoid ambiguous
+mappings. (Django's :djadmin:`runserver` was patched in :cve:`2015-0219`.) But
+under ASGI, there is not the same uniform expectation, even if many proxies
+protect against this under default configuration (including ``nginx`` via
+``underscores_in_headers off;``).
+
+Headers containing underscores are now ignored by ``ASGIRequest``, matching the
+behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/5.2.13.txt b/docs/releases/5.2.13.txt
index ff391eff0f..94d63dafdb 100644
--- a/docs/releases/5.2.13.txt
+++ b/docs/releases/5.2.13.txt
@@ -6,3 +6,23 @@ Django 5.2.13 release notes
 
 Django 5.2.13 fixes one security issue with severity "moderate" and four
 security issues with severity "low" in 5.2.12.
+
+CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
+====================================================================
+
+``ASGIRequest`` normalizes header names following WSGI conventions, mapping
+hyphens to underscores. As a result, even in configurations where reverse
+proxies carefully strip security-sensitive headers named with hyphens, such a
+header could be spoofed by supplying a header named with underscores.
+
+Under WSGI, it is the responsibility of the server or proxy to avoid ambiguous
+mappings. (Django's :djadmin:`runserver` was patched in :cve:`2015-0219`.) But
+under ASGI, there is not the same uniform expectation, even if many proxies
+protect against this under default configuration (including ``nginx`` via
+``underscores_in_headers off;``).
+
+Headers containing underscores are now ignored by ``ASGIRequest``, matching the
+behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/6.0.4.txt b/docs/releases/6.0.4.txt
index de75dc7d13..0ee6b82988 100644
--- a/docs/releases/6.0.4.txt
+++ b/docs/releases/6.0.4.txt
@@ -7,6 +7,26 @@ Django 6.0.4 release notes
 Django 6.0.4 fixes one security issue with severity "moderate", four security
 issues with severity "low", and several bugs in 6.0.3.
 
+CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
+====================================================================
+
+``ASGIRequest`` normalizes header names following WSGI conventions, mapping
+hyphens to underscores. As a result, even in configurations where reverse
+proxies carefully strip security-sensitive headers named with hyphens, such a
+header could be spoofed by supplying a header named with underscores.
+
+Under WSGI, it is the responsibility of the server or proxy to avoid ambiguous
+mappings. (Django's :djadmin:`runserver` was patched in :cve:`2015-0219`.) But
+under ASGI, there is not the same uniform expectation, even if many proxies
+protect against this under default configuration (including ``nginx`` via
+``underscores_in_headers off;``).
+
+Headers containing underscores are now ignored by ``ASGIRequest``, matching the
+behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
 Bugfixes
 ========