CVE-2026-25674
Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one threads temporary umask change affects other threads in multi-threaded environments.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.Django would like to thank Tarek Nakkouch for reporting this issue.
Risk Information
Base Score
3.7
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
0.035
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2026-25673,CVE-2026-25674 are fixed in Python-django 4.2.29 | Windows |
| Vulnerabilities CVE-2026-25673,CVE-2026-25674 are fixed in Python-django 5.2.12 | Windows |
| Vulnerabilities CVE-2026-25673,CVE-2026-25674 are fixed in Python-django 6.0.3 | Windows |
| Vulnerabilities CVE-2026-25673,CVE-2026-25674 are fixed in Python-django for linux 4.2.29 | Linux |
| Vulnerabilities CVE-2026-25673,CVE-2026-25674 are fixed in Python-django for linux 5.2.12 | Linux |
| Vulnerabilities CVE-2026-25673,CVE-2026-25674 are fixed in Python-django for linux 6.0.3 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234