{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-07T14:22:38Z",
  "bugzilla" : {
    "description" : "Django: Django: Unauthorized instance creation via forged POST data in Admin changelist forms",
    "id" : "2455941",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2455941"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-472",
  "details" : [ "A flaw was found in Django. Admin changelist forms utilizing `ModelAdmin.list_editable` were susceptible to improper access control. A remote attacker could exploit this by sending forged `POST` data, leading to the unauthorized creation of new instances within the application." ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "automation-controller",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/automation-reports",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/controller-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/eda-controller-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/gateway-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/hub-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/lightspeed-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/lightspeed-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/metrics-service-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/discovery-server",
    "cpe" : "cpe:/a:redhat:discovery:2::el9"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/iop-advisor-backend-sat-6-18",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-4292\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4292\nhttps://docs.djangoproject.com/en/dev/releases/security/\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2026/apr/07/security-releases/" ],
  "name" : "CVE-2026-4292",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}