{"id":"CVE-2026-33034","summary":"Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass","details":"An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\r\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\r\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\r\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue.","aliases":["BIT-django-2026-33034","GHSA-933h-hp56-hf7m","PYSEC-2026-49"],"modified":"2026-05-20T08:11:14.681120318Z","published":"2026-04-07T14:22:59.942Z","related":["CGA-8hfr-p958-rv37","SUSE-SU-2026:1740-1","openSUSE-SU-2026:10516-1","openSUSE-SU-2026:10517-1","openSUSE-SU-2026:10567-1","openSUSE-SU-2026:20578-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33034.json","cwe_ids":["CWE-770"],"cna_assigner":"DSF"},"references":[{"type":"WEB","url":"https://github.com/django/django/"},{"type":"ADVISORY","url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33034.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33034"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"},{"type":"PACKAGE","url":"https://pypi.org/project/Django/"},{"type":"ARTICLE","url":"https://groups.google.com/g/django-announce"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"97aa3b7f08f51669e118f3af5ca91026e39664c3"},{"fixed":"3396992e837d5146270ea8112bb622c83fa4a919"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33034.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}