Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Django Web Framework: File Permissions Risk in Multi-Threading Scenarios
OESA-2026-1511
Summary
Django's file system and cache storage may create files with incorrect permissions if multiple requests are handled at the same time, potentially allowing an attacker to exploit this issue. This affects Django versions 6.0 through 6.0.2, 5.2 through 5.2.11, and 4.2 through 4.2.28. If you use Django, update to the latest version to ensure file permissions are set correctly.
What to do
- Update python-django to version 4.2.15-13.oe2403sp2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | python-django | <= 4.2.15-13.oe2403sp2 | 4.2.15-13.oe2403sp2 |
Original title
python-django security update
Original description
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Security Fix(es):
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-25674)
Security Fix(es):
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-25674)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25674 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026