Django Broken Function Level Authorization Guide [Apr 2026] [CVE-2026-6609]

Broken Function Level Authorization in Django occurs when a view or endpoint only enforces a broad, global permission and fails to enforce checks for each specific action within that function. As a result, an authenticated user may be able to perform operations on resources they should not own or access, such as updating, deleting, or approving items. Note: No CVE IDs are provided in this guide. In real-world apps, endpoints often expose actions like publish, approve, or change status. If checks are placed only at the top of a function or rely on a blanket is_staff gate, attackers can abuse the endpoint to operate on other users' data, leading to data leaks, unauthorized edits, and compromised integrity. This vulnerability manifests in Django patterns such as missing per-object checks in function-based or class-based views, insufficient filtering in get_queryset for DRF, or depending solely on model-level permissions rather than object-level constraints. Even with DRF, using broad permission_classes without object-level enforcement can create a window of privilege escalation. Remediation involves adding per-object or owner-based checks, scoping queries, and using a proper permission backend. Recommended approaches include enabling per-object permissions with a backend like django-guardian, validating ownership or explicit permissions in every action, using DRF's DjangoObjectPermissions, and adding tests and audits to prevent regressions.