[6.0.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.list_editable.

Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.

Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.

1 files changed, 17 insertions, 0 deletions

diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
index f766794c54..db19f75aa9 100644
--- a/tests/admin_views/tests.py
+++ b/tests/admin_views/tests.py
@@ -3,6 +3,7 @@ import os
 import re
 import unittest
 import zoneinfo
+from http import HTTPStatus
 from unittest import mock
 from urllib.parse import parse_qsl, urljoin, urlsplit
 
@@ -4370,6 +4371,22 @@ class AdminViewListEditable(TestCase):
 
         self.assertIs(Person.objects.get(name="John Mauchly").alive, False)
 
+    def test_forged_post_submission_when_no_add_permission(self):
+        before_count = ParentWithUUIDPK.objects.count()
+        data = {
+            "form-TOTAL_FORMS": "1",
+            "form-INITIAL_FORMS": "0",
+            "form-MAX_NUM_FORMS": "0",
+            "form-0-title": "The News",
+            "form-0-id": "",
+            "_save": "Save",
+        }
+        # This model admin allows no add permissions.
+        changelist_url = reverse("admin:admin_views_parentwithuuidpk_changelist")
+        response = self.client.post(changelist_url, data)
+        self.assertEqual(response.status_code, HTTPStatus.BAD_REQUEST)
+        self.assertEqual(ParentWithUUIDPK.objects.count(), before_count)
+
     def test_non_field_errors(self):
         """
         Non-field errors are displayed for each of the forms in the