Low severityNVD Advisory· Published Mar 3, 2026· Updated Mar 3, 2026
Potential incorrect permissions on newly created file system objects
CVE-2026-25674
Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary umask change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 6.0, < 6.0.3 | 6.0.3 |
DjangoPyPI | >= 5.2, < 5.2.12 | 5.2.12 |
DjangoPyPI | >= 4.2, < 4.2.29 | 4.2.29 |
Affected products
1- Range: 6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- docs.djangoproject.com/en/dev/releases/security/mitrevendor-advisory
- github.com/advisories/GHSA-mjgh-79qc-68w3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25674ghsaADVISORY
- www.djangoproject.com/weblog/2026/mar/03/security-releases/mitrevendor-advisory
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- groups.google.com/g/django-announceghsamailing-listWEB
- www.djangoproject.com/weblog/2026/mar/03/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.