Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Django File System Permissions May Be Incorrectly Set
OESA-2026-1506
Summary
Django, a Python web framework, has a security issue that could lead to incorrect file permissions in certain situations. This could allow an attacker to create files with inappropriate permissions, potentially causing issues. Update to the latest version of Django to fix this issue.
What to do
- Update python-django to version 4.2.15-13.oe2403sp3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | python-django | <= 4.2.15-13.oe2403sp3 | 4.2.15-13.oe2403sp3 |
Original title
python-django security update
Original description
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Security Fix(es):
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-25674)
Security Fix(es):
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.(CVE-2026-25674)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25674 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026