Vulnerability Spoiler Alert – Exposing Patches Before CVEs
A recent patch in Django addresses a privilege escalation vulnerability related to permission checks in the admin change form view. Previously, users with only view permissions were unable to execute view-only actions, while those with change permissions could. The update restructures the permission checks to allow view-only users to run permitted actions without being blocked by change permission requirements.
- ▪The patch modifies the permission check order in the Django admin change form view.
- ▪Users with only view permission can now execute view-permitted actions after the patch.
- ▪Before the patch, view-only users were denied access to certain actions due to the permission structure.
Opening excerpt (first ~120 words) tap to expand
⚠️ MEDIUM FALSE POSITIVE Privilege Escalation / Unauthorized Action Execution May 20, 2026, 12:04 PM — django/django Commit: 8fd29079ed1253f0cd88ccf330de30271a5d15e4 Author: Sarah Boyce In the Django admin change form view, a POST request (e.g., running an action) only required `has_change_permission`, but actions can be configured to require only view permission. Before the patch, a user with only view permission could not run view-only actions from the change form, while a user with change permission was allowed. More critically, the permission check order meant that when running actions from the change form (which goes through `_changeform_view`), the code checked `has_change_permission` for all POST requests before the action handler ran, blocking legitimate view-permission actions.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Vulnerabilityspoileralert.
Discussion
0 commentsMore from Vulnerabilityspoileralert
