Low severityNVD Advisory· Published Mar 3, 2026· Updated Mar 3, 2026
Potential incorrect permissions on newly created file system objects
CVE-2026-25674
Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary umask change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 6.0, < 6.0.3 | 6.0.3 |
DjangoPyPI | >= 5.2, < 5.2.12 | 5.2.12 |
DjangoPyPI | >= 4.2, < 4.2.29 | 4.2.29 |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/authentik-fipspkg:apk/chainguard/awxpkg:apk/chainguard/label-studiopkg:bitnami/djangopkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7
< 2026.2.1-r0+ 10 more
- (no CPE)range: < 2026.2.1-r0
- (no CPE)range: < 24.6.1-r30
- (no CPE)range: < 1.22.0-r7
- (no CPE)range: >= 4.2.0, < 4.2.29
- (no CPE)range: >= 6.0, < 6.0.3
- (no CPE)range: < 4.2.29-1.1
- (no CPE)range: < 6.0.3-1.1
- (no CPE)range: < 4.2.11-150600.3.50.1
- (no CPE)range: < 5.2.4-bp160.6.1
- (no CPE)range: < 5.2.12-1.1
- (no CPE)range: < 4.2.11-150600.3.50.1
- Range: 6.0
Patches
Vulnerability mechanics
References
7- docs.djangoproject.com/en/dev/releases/security/mitrevendor-advisory
- github.com/advisories/GHSA-mjgh-79qc-68w3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25674ghsaADVISORY
- www.djangoproject.com/weblog/2026/mar/03/security-releases/mitrevendor-advisory
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- groups.google.com/g/django-announceghsamailing-listWEB
- www.djangoproject.com/weblog/2026/mar/03/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.