diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-03-12 11:00:05 -0400 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-04-07 07:32:35 -0400 |
| commit | 60ffa957c427e10a2eb0fc80d1674a8a8ccc30b0 (patch) | |
| tree | 914fb8138b45faf5c6fcefd207a830ab7ec8cabe /docs | |
| parent | 1cc2a7612f97c109b92415fc11ba9bd0501852e0 (diff) | |
[5.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelAdmin.
Edit permissions were still checked as part of ordinary form validation,
but because GenericInlineModelAdmin overrides get_formset(), it lacked
InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic
for checking permissions server-side, leaving the add case unaddressed.
This change reimplements the relevant part of InlineModelAdmin.get_formset().
Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart,
Markus Holtermann, and Simon Charette for reviews.
Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.2.30.txt | 10 | ||||
| -rw-r--r-- | docs/releases/5.2.13.txt | 10 |
2 files changed, 20 insertions, 0 deletions
diff --git a/docs/releases/4.2.30.txt b/docs/releases/4.2.30.txt index 30ffd4eb9d..a6d2deef3c 100644 --- a/docs/releases/4.2.30.txt +++ b/docs/releases/4.2.30.txt @@ -26,3 +26,13 @@ behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2026-4277: Privilege abuse in ``GenericInlineModelAdmin`` +============================================================= + +Add permissions on inline model instances were not validated on submission of +forged ``POST`` data in +:class:`~django.contrib.contenttypes.admin.GenericInlineModelAdmin`. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. diff --git a/docs/releases/5.2.13.txt b/docs/releases/5.2.13.txt index 94d63dafdb..8b03103508 100644 --- a/docs/releases/5.2.13.txt +++ b/docs/releases/5.2.13.txt @@ -26,3 +26,13 @@ behavior of :pypi:`Daphne <daphne>`, the reference server for ASGI. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2026-4277: Privilege abuse in ``GenericInlineModelAdmin`` +============================================================= + +Add permissions on inline model instances were not validated on submission of +forged ``POST`` data in +:class:`~django.contrib.contenttypes.admin.GenericInlineModelAdmin`. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. |