Race Condition in Django Affects File System Storage and Cache Management
CVE-2026-25674

3.7LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 March 2026

What is CVE-2026-25674?

A race condition in Django's file-system storage and file-based cache backends enables an attacker to manipulate the permissions of file system objects through concurrent requests. This vulnerability occurs when the temporary umask setting altered by one thread inadvertently impacts others within a multi-threaded environment. Unsupported versions of Django prior to the series mentioned may also be susceptible to similar risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Django 6.0 < 6.0.3

Django 5.2 < 5.2.12

Django 4.2 < 4.2.29

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/mar/03/security...
vendor-advisory

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tarek Nakkouch
Natalia Bidart
Natalia Bidart
JSON
.