{"id":"CVE-2026-25674","details":"An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\nRace condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.","aliases":["BIT-django-2026-25674","GHSA-mjgh-79qc-68w3"],"modified":"2026-04-02T13:17:10.300154Z","published":"2026-03-03T15:16:19.280Z","related":["CGA-j9p3-qxmp-vfgp","MGASA-2026-0050","SUSE-SU-2026:0821-1","openSUSE-SU-2026:10282-1","openSUSE-SU-2026:10283-1","openSUSE-SU-2026:10292-1","openSUSE-SU-2026:20373-1"],"references":[{"type":"ADVISORY","url":"https://groups.google.com/g/django-announce"},{"type":"FIX","url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"type":"FIX","url":"https://www.djangoproject.com/weblog/2026/mar/03/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"0"},{"fixed":"f2ec75efbcf4d1ed63f135e5f8ff5f0463175312"},{"introduced":"9e7cc2b628fe8fd3895986af9b7fc9525034c1b0"},{"fixed":"4f382ca672f86dd4a1e4d071c91d0caad0e124b3"},{"introduced":"36b5f39d9372147f0e758f590e35ee2b2bc317dd"},{"fixed":"a0d3bdb5b0a22cdbb4d3f7e5eabd7fe0f7311f68"}],"database_specific":{"versions":[{"introduced":"4.2.0"},{"fixed":"4.2.29"},{"introduced":"5.2"},{"fixed":"5.2.12"},{"introduced":"6.0"},{"fixed":"6.0.3"}]}}],"versions":["1.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1","1.1.1","1.1.2","1.1.3","1.1.4","1.10","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.10.8","1.10a1","1.10b1","1.10rc1","1.11","1.11.1","1.11.10","1.11.11","1.11.12","1.11.13","1.11.14","1.11.15","1.11.16","1.11.17","1.11.18","1.11.19","1.11.2","1.11.20","1.11.21","1.11.22","1.11.23","1.11.24","1.11.25","1.11.26","1.11.27","1.11.28","1.11.29","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.11.8","1.11.9","1.11a1","1.11b1","1.11rc1","1.2","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.3","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.4","1.4.1","1.4.10","1.4.11","1.4.12","1.4.13","1.4.14","1.4.15","1.4.16","1.4.17","1.4.18","1.4.19","1.4.2","1.4.20","1.4.21","1.4.22","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","1.5","1.5.1","1.5.10","1.5.11","1.5.12","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.5a1","1.5b1","1.5b2","1.5c1","1.5c2","1.6","1.6.1","1.6.10","1.6.11","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.6a1","1.6b1","1.6b2","1.6b3","1.6b4","1.6c1","1.7","1.7.1","1.7.10","1.7.11","1.7.2","1.7.3","1.7.4","1.7.5","1.7.6","1.7.7","1.7.8","1.7.9","1.7a1","1.7a2","1.7b1","1.7b2","1.7b3","1.7b4","1.7c1","1.7c2","1.7c3","1.8","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.15","1.8.16","1.8.17","1.8.18","1.8.19","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","1.8a1","1.8b1","1.8b2","1.8c1","1.9","1.9.1","1.9.10","1.9.11","1.9.12","1.9.13","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9","1.9a1","1.9b1","1.9rc1","1.9rc2","2.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.13","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.0a1","2.0b1","2.0rc1","2.1","2.1.1","2.1.10","2.1.11","2.1.12","2.1.13","2.1.14","2.1.15","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.1a1","2.1b1","2.1rc1","2.2","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.16","2.2.17","2.2.18","2.2.19","2.2.2","2.2.20","2.2.21","2.2.22","2.2.23","2.2.24","2.2.25","2.2.26","2.2.27","2.2.28","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9","2.2a1","2.2b1","2.2rc1","3.0","3.0.1","3.0.10","3.0.11","3.0.12","3.0.13","3.0.14","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.0a1","3.0b1","3.0rc1","3.1","3.1.1","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.1a1","3.1b1","3.1rc1","3.2","3.2.1","3.2.10","3.2.11","3.2.12","3.2.13","3.2.14","3.2.15","3.2.16","3.2.17","3.2.18","3.2.19","3.2.2","3.2.20","3.2.21","3.2.22","3.2.23","3.2.24","3.2.25","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9","3.2a1","3.2b1","3.2rc1","4.0","4.0.1","4.0.10","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.0a1","4.0b1","4.0rc1","4.1","4.1.1","4.1.10","4.1.11","4.1.12","4.1.13","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1.9","4.1a1","4.1b1","4.1rc1","4.2","4.2.1","4.2.10","4.2.11","4.2.12","4.2.13","4.2.14","4.2.15","4.2.16","4.2.17","4.2.18","4.2.19","4.2.2","4.2.20","4.2.21","4.2.22","4.2.23","4.2.24","4.2.25","4.2.26","4.2.27","4.2.28","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2.8","4.2.9","4.2a1","4.2b1","4.2rc1","5.0","5.0.1","5.0.10","5.0.11","5.0.12","5.0.13","5.0.14","5.0.2","5.0.3","5.0.4","5.0.5","5.0.6","5.0.7","5.0.8","5.0.9","5.0a1","5.0b1","5.0rc1","5.1","5.1.1","5.1.10","5.1.11","5.1.12","5.1.13","5.1.14","5.1.15","5.1.2","5.1.3","5.1.4","5.1.5","5.1.6","5.1.7","5.1.8","5.1.9","5.1a1","5.1b1","5.1rc1","5.2","5.2.1","5.2.10","5.2.11","5.2.2","5.2.3","5.2.4","5.2.5","5.2.6","5.2.7","5.2.8","5.2.9","5.2a1","5.2b1","5.2rc1","6.0","6.0.1","6.0.2","6.0a1","6.0b1","6.0rc1","archive/attic/boulder-oracle-sprint","archive/attic/full-history","archive/attic/generic-auth","archive/attic/gis","archive/attic/i18n","archive/attic/magic-removal","archive/attic/multi-auth","archive/attic/multiple-db-support","archive/attic/new-admin","archive/attic/newforms-admin","archive/attic/per-object-permissions","archive/attic/queryset-refactor","archive/attic/schema-evolution","archive/attic/schema-evolution-ng","archive/attic/search-api","archive/attic/sqlalchemy","archive/attic/unicode","archive/soc2009/admin-ui","archive/soc2009/http-wsgi-improvements","archive/soc2009/i18n-improvements","archive/soc2009/model-validation","archive/soc2009/multidb","archive/soc2009/test-improvements","archive/soc2010/app-loading","archive/soc2010/query-refactor","archive/soc2010/test-refactor","stable/0.90.x","stable/0.91.x","stable/0.95.x","stable/0.96.x","stable/1.0.x","stable/1.1.x","stable/1.10.x","stable/1.11.x","stable/1.2.x","stable/1.3.x","stable/1.4.x","stable/1.5.x","stable/1.6.x","stable/1.7.x","stable/1.8.x","stable/1.9.x","stable/2.0.x","stable/2.1.x","stable/2.2.x","stable/3.0.x","stable/3.1.x","stable/3.2.x","stable/4.0.x","stable/4.1.x","stable/5.0.x","stable/5.1.x"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25674.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}