Django Missing Authorization Vulnerability - CVE-2026-4292

An issue was discovered in 6.0 before 6.0.4 5.2 before 5.2.13 and 4.2 before 4.2.30. Admin changelist forms using ModelAdmin.list_editable incorrectly allowed new instances to be created via forged POST data. Earlier unsupported Django series (such as 5.0.x 4.1.x and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.