Django Allocation of Resources Without Limits or Throttling Vulnerability - CVE-2026-33034

An issue was discovered in 6.0 before 6.0.4 5.2 before 5.2.13 and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body allowing remote attackers to load an unbounded request body into memory. Earlier unsupported Django series (such as 5.0.x 4.1.x and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.