CVE-2026-25674
Received Received - Intake
Race Condition in Django File-System Storage Causes Permission Issues

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25674
EUVD
EUVD-2026-9295
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
djangoproject django From 4.2.0 (inc) to 4.2.29 (exc)
djangoproject django From 5.2 (inc) to 5.2.12 (exc)
djangoproject django From 6.0 (inc) to 6.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability is a race condition in Django's file-system storage and file-based cache backends that causes file system objects to be created with incorrect permissions."}, {'type': 'paragraph', 'content': 'The issue arises because these backends relied on the process-wide umask setting to control permissions when creating directories. In multi-threaded environments, a temporary umask change in one thread could affect other threads, leading to unintended permissions on files and directories.'}, {'type': 'paragraph', 'content': 'Django fixed this by explicitly applying the requested permissions using os.chmod() immediately after creating directories, removing the dependency on the process-wide umask and ensuring consistent permissions regardless of threading.'}] [1]

Impact Analysis

This vulnerability can lead to files and directories being created with incorrect or unintended permissions in a Django application running in a multi-threaded environment.

Incorrect permissions may expose sensitive files to unauthorized users or processes, potentially leading to information disclosure or unauthorized modification.

Although the severity is classified as low, the impact depends on the sensitivity of the data stored and the environment in which Django is deployed.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves a race condition causing file system objects to be created with incorrect permissions due to concurrent requests affecting the process-wide umask in multi-threaded environments.'}, {'type': 'paragraph', 'content': "Detection would involve checking for files or directories created by Django's file-system storage or file-based cache backends that have permissions inconsistent with the intended settings."}, {'type': 'paragraph', 'content': "Since the issue is related to incorrect permissions on newly created files or directories, you can inspect the permissions of these objects in your Django application's storage or cache directories."}, {'type': 'list_item', 'content': 'Use commands like `ls -l` or `stat` on the relevant directories to identify files or directories with unexpected permission bits.'}, {'type': 'list_item', 'content': 'Monitor your application logs for any warnings or errors related to file permission issues.'}, {'type': 'list_item', 'content': 'Consider running tests that simulate concurrent requests to see if file permissions are set incorrectly.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade Django to a version where this issue is fixed.

  • Upgrade to Django 6.0.3 or later, 5.2.12 or later, or 4.2.29 or later, as these versions include the fix that explicitly applies correct permissions using os.chmod() after directory creation.
  • If upgrading immediately is not possible, restrict access to the affected file-system storage and cache directories to trusted users only.
  • Avoid running Django in multi-threaded environments where concurrent requests might trigger this race condition until the fix is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25674. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart