CVE-2026-33034
Publication date 7 April 2026
Last updated 8 April 2026
Ubuntu priority
Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.
Read the notes from the security team
Why is this CVE low priority?
Django developers have rated this as being a low severity issue
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-django | 25.10 questing |
Fixed 3:5.2.4-1ubuntu2.4
|
| 24.04 LTS noble |
Fixed 3:4.2.11-1ubuntu1.15
|
|
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored |
Notes
mdeslaur
The fix for this issue relies on LimitedStream being seekable, but in jammy and older, that is not the case. LimitedStream in recent versions was changed to use IOBase here: https://github.com/django/django/commit/b47f2f5b907732d80b164f1f361ae39da94a3fa6 We likely can't backport that change as it would break compatibility, so we will not be fixing this issue in jammy and earlier releases.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-8154-1
- Django vulnerabilities
- 7 April 2026