CVE-2026-25674

LOW 3.7

Potential incorrect permissions on newly created file system objects

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

CWE	CWE-362
Vendor	djangoproject
Product	django
Published	Mar 3, 2026
Last Updated	Mar 3, 2026

Stay Ahead of the Next One

Get instant alerts for djangoproject django

Be the first to know when new low vulnerabilities affecting djangoproject django are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

djangoproject / Django

6.0 < 6.0.3 5.2 < 5.2.12 4.2 < 4.2.29

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.djangoproject.com: https://docs.djangoproject.com/en/dev/releases/security/ groups.google.com: https://groups.google.com/g/django-announce djangoproject.com: https://www.djangoproject.com/weblog/2026/mar/03/security-releases/

Credits

🔍 Tarek Nakkouch Natalia Bidart Natalia Bidart