CVE-2026-25674

CWE-362 — Race Condition CWE-3678 documents7 sources

Severity

3.7LOW

EPSS

0.0%

top 98.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedMar 3

Description

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django wo…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages5 packages

▶PyPIDjango6.0 — 6.0.3+2

▶PyPIdjango6.0 — 6.0.3+2

▶CVEListV5djangoproject/django6.0 — 6.0.3+2

▶NVDdjangoproject/django4.2.0 — 4.2.29+2

▶Debianpython-django< 3:4.2.29-1

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

GHSA

Django has a Race Condition vulnerability↗2026-03-03

▶

CVEList

Potential incorrect permissions on newly created file system objects↗2026-03-03

▶

OSV

Django has a Race Condition vulnerability↗2026-03-03

▶

OSV

CVE-2026-25674: An issue was discovered in 6↗2026-03-03

▶

📋Vendor Advisories

Red Hat

django: Django: Incorrect file permissions due to race condition↗2026-03-03

▶

Debian

CVE-2026-25674: python-django - An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25674 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶