BIT-django-2026-25674

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/django/BIT-django-2026-25674.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-django-2026-25674

Aliases

CVE-2026-25674
GHSA-mjgh-79qc-68w3

Published

2026-03-06T08:38:51.644Z

Modified

2026-03-06T09:26:10.111256Z

Summary

Potential incorrect permissions on newly created file system objects

Details

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary umask change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Database specific

{
    "cpes": [
        "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
    ],
    "severity": "Low"
}

References

Affected packages

Bitnami / django

Package

Name: django
Purl: pkg:bitnami/django

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

4.2.0

Fixed

4.2.29

Introduced

5.2.0

Fixed

5.2.12

Introduced

6.0.0

Fixed

6.0.3

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/django/BIT-django-2026-25674.json"