Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Tarek Nakkouch for reporting this issue.
Published: 2026-03-03
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Incorrect File Permissions
Action: Apply Patch
AI Analysis

Impact

Race condition in Django’s file‑system storage and file‑based cache backends can cause newly created objects to be created with weaker permissions. The flaw arises when concurrent requests alter a thread’s temporary umask, affecting other threads and producing files that lack the intended restrictive permissions. The likely impact is that an attacker might read or modify data that should normally be protected, potentially enabling privilege escalation or data leakage. This vulnerability is rooted in CWE-362 (Race Condition) and CWE-367 (Access Control).

Affected Systems

This issue affects Django releases prior to 6.0.3, 5.2.12 and 4.2.29. Earlier unsupported series such as 5.0.x, 4.1.x and 3.2.x were not evaluated but may also be impacted.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be concurrent requests to a multithreaded Django deployment (e.g., a WSGI server that spawns threads). Successful exploitation would create files with overly permissive modes, allowing other users or processes to read or modify them.

Generated by OpenCVE AI on April 17, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to at least version 6.0.3, 5.2.12, or 4.2.29, depending on your installed branch.
  • If an upgrade cannot be performed immediately, configure your deployment to run in single‑threaded mode or otherwise disable concurrent request handling to eliminate the race condition.
  • Enforce a strict umask (e.g., 022) or apply a file‑permission policy for file creation in your application, and audit newly created files to ensure they have the intended restrictive permissions.

Generated by OpenCVE AI on April 17, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mjgh-79qc-68w3 Django has a Race Condition vulnerability
History

Thu, 05 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 04 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.
Title Potential incorrect permissions on newly created file system objects
Weaknesses CWE-362
References

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-03-03T15:27:10.815Z

Reserved: 2026-02-04T18:27:10.658Z

Link: CVE-2026-25674

cve-icon Vulnrichment

Updated: 2026-03-03T15:27:03.909Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T15:16:19.280

Modified: 2026-03-05T14:07:03.600

Link: CVE-2026-25674

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-03T14:28:37Z

Links: CVE-2026-25674 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses