Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.7
Django File System Permissions Can Be Incorrectly Set
CVE-2026-25674
GHSA-mjgh-79qc-68w3
GHSA-mjgh-79qc-68w3
BIT-django-2026-25674
Summary
Django's file storage and cache features have a bug that can cause files to be created with the wrong permissions. This can happen when multiple users access the system at the same time, and can lead to security issues. If you're using an affected version of Django, update to the latest patch version to fix the problem.
What to do
- Update django to version 6.0.3.
- Update django to version 5.2.12.
- Update django to version 4.2.29.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | django | > 6.0 , <= 6.0.3 | 6.0.3 |
| – | django | > 5.2 , <= 5.2.12 | 5.2.12 |
| – | django | > 4.2 , <= 4.2.29 | 4.2.29 |
| djangoproject | django | > 4.2.0 , <= 4.2.29 | – |
| djangoproject | django | > 5.2 , <= 5.2.12 | – |
| djangoproject | django | > 6.0 , <= 6.0.3 | – |
| – | django | > 6.0.0 , <= 6.0.3 | 6.0.3 |
Original title
Django has a Race Condition vulnerability
Original description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
nvd CVSS3.1
3.7
Vulnerability type
CWE-362
Race Condition
- https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory Patch
- https://groups.google.com/g/django-announce Release Notes
- https://www.djangoproject.com/weblog/2026/mar/03/security-releases/ Patch Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25674
- https://docs.djangoproject.com/en/dev/releases/security
- https://www.djangoproject.com/weblog/2026/mar/03/security-releases
- https://github.com/advisories/GHSA-mjgh-79qc-68w3
- https://github.com/django/django Product
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026