Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Django File Permissions Can Be Incorrect in Multi-Threading Scenarios
OESA-2026-1510
Summary
If you're using Django, an attacker could potentially create files with incorrect permissions if your website has multiple requests happening at the same time. This could lead to unexpected behavior or security issues. To fix this, update to the latest version of Django, especially if you're using version 6.0, 5.2, or 4.2, or any older versions that are no longer supported.
What to do
- Update python-django to version 4.2.15-13.oe2403sp1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | python-django | <= 4.2.15-13.oe2403sp1 | 4.2.15-13.oe2403sp1 |
Original title
python-django security update
Original description
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Security Fix(es):
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-25674)
Security Fix(es):
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-25674)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25674 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026