Django <6.0.3 - File Permission Race in File Store
CVE-2026-25674 Published on March 3, 2026

Potential incorrect permissions on newly created file system objects
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-25674 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Initial report received.

Vulnerability confirmed. 31 days later.

Security release issued. 11 days later.

Weakness Type

What is a Race Condition Vulnerability?

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

CVE-2026-25674 has been classified to as a Race Condition vulnerability or weakness.


Products Associated with CVE-2026-25674

Want to know whenever a new CVE is published for Django Project Django? stack.watch will email you.

Django Project Django
 

Affected Versions

djangoproject Django:

Exploit Probability

EPSS
0.03%
Percentile
7.14%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.