Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Django Web Framework: Incorrect File Permissions in Multi-Threading Environments
OESA-2026-1509
Summary
Django, a popular web development framework, has a security issue that can cause files to be created with the wrong permissions when multiple requests are handled at the same time. This could potentially allow an attacker to access sensitive files. Affected users should update to the latest version of Django to ensure they have the latest security patches.
What to do
- Update python-django to version 4.2.15-13.oe2403.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | python-django | <= 4.2.15-13.oe2403 | 4.2.15-13.oe2403 |
Original title
python-django security update
Original description
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Security Fix(es):
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-25674)
Security Fix(es):
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-25674)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25674 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026