{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.2.0" }, { "fixed": "4.2.29" }, { "introduced": "5.2" }, { "fixed": "5.2.12" }, { "introduced": "6.0" }, { "fixed": "6.0.3" } ] }, "events": [ { "introduced": "0" }, { "fixed": "f2ec75efbcf4d1ed63f135e5f8ff5f0463175312" }, { "introduced": "9e7cc2b628fe8fd3895986af9b7fc9525034c1b0" }, { "fixed": "4f382ca672f86dd4a1e4d071c91d0caad0e124b3" }, { "introduced": "36b5f39d9372147f0e758f590e35ee2b2bc317dd" }, { "fixed": "a0d3bdb5b0a22cdbb4d3f7e5eabd7fe0f7311f68" } ], "repo": "https://github.com/django/django", "type": "GIT" } ] } ], "details": "An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\nRace condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Tarek Nakkouch for reporting this issue.", "id": "CVE-2026-25674", "modified": "2026-04-01T23:09:38.220772066Z", "published": "2026-03-03T15:16:19.280Z", "references": [ { "type": "ADVISORY", "url": "https://groups.google.com/g/django-announce" }, { "type": "FIX", "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "type": "FIX", "url": "https://www.djangoproject.com/weblog/2026/mar/03/security-releases/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "type": "CVSS_V3" } ] }