- CVE: CVE-2026-1207
- CVSS: 8.3 (High · CVSSv3)
- Product: Django (pip)
- Affected: >= 6.0a1, < 6.0.2, >= 5.2a1, < 5.2.11, >= 4.2a1, < 4.2.28
- Impact: Potential SQL injection via raster lookups on PostGIS
- Status: Exploited in the wild
- Patched in: 6.0.2, 5.2.11, 4.2.28
- EPSS: 9.4% (30-day)
- Action: Update to 6.0.2, 5.2.11, 4.2.28 now
TL;DR
CVE-2026-1207 is a high-severity Django SQL injection flaw, scored 8.3. It affects RasterField lookups when Django runs on a PostGIS database. Security firm CrowdSec and Canada’s cyber centre confirm attackers are exploiting it in the wild, so patch now.
Why It Matters
Django powers a huge share of Python web apps. So even a narrow bug can reach many targets. This Django SQL injection lets a remote attacker with low privileges read, change, or delete database data. Red Hat rates the flaw Important. It flags several products as affected, including Ansible Automation Platform, Satellite, Discovery, and Insights, when they use Django with PostGIS raster lookups.
How the Attack Works
The flaw sits in raster lookups on RasterField, a field type unique to PostGIS. Django inlines the band index parameter into the SQL query instead of binding it. So an attacker who controls that value can inject their own SQL. Notably, this Django SQL injection is not a typical ORM bug, since the standard ORM stays parameterized. Researcher Tarek Nakkouch reported the issue.
Affected Versions
The bug affects Django 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Older, unsupported lines such as 3.2.x may also be exposed. Apps that avoid PostGIS RasterField lookups are safe.
Patch and Mitigation
Update now. The Django team shipped fixes on February 3, 2026, across the supported branches. You can review the details in the project’s security release notes. Canada’s cyber centre also issued an advisory, and CrowdSec first observed live attacks in late February. Its telemetry shows steady probing against PostGIS setups rather than mass scanning, a sign of targeted interest. If you cannot patch at once, audit RasterField queries, add a WAF rule for the band parameter, and tighten database permissions.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.