CVE-2026-25674
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.
A security misconfiguration vulnerability (CVE-2026-25674) has been identified in Django, where the file-system storage and file-based cache backends relied on the process-wide umask to control permissions when creating directories. In multi-threaded environments, temporary changes to the umask by one thread could unintentionally affect file or directory creation performed by other threads, potentially resulting in file system objects being created with overly permissive access controls. This improper handling of file permission management may expose sensitive application data or allow unintended access within affected Django applications.
Per OWASP: Security misconfiguration vulnerabilities occur when applications or supporting infrastructure are configured insecurely, resulting in unintended exposure of sensitive functionality or data. Improperly applied file or directory permissions can allow unauthorized users or processes to access protected resources, increasing the risk of information disclosure or privilege abuse.
Details
Module Info
- Product: Django
- Affected packages: django
- Affected versions: <=3.2.25, <=4.2.28, <=5.2.11, <=6.0.2
- GitHub repository: https://github.com/django/django
- Published packages: https://pypi.org/project/Django/
- Package manager: pip
- Fixed in: Django NES v3.2.27 and v4.2.31
Vulnerability Info
This Low-severity vulnerability is found in the core package in all published versions of Django.
Normally, Django’s file-system storage and file-based cache backends are designed to create directories and cache files with explicitly controlled permissions, ensuring that application data is only accessible to authorized users and processes. In particular, Django relies on configured permission settings to safely manage filesystem object creation without unintentionally exposing sensitive files or directories.
However, due to Django’s reliance on the process-wide umask when creating directories, temporary permission changes made by one thread in a multi-threaded environment could unintentionally affect filesystem operations performed by other threads. This behavior may result in directories or cache files being created with overly permissive access controls, potentially exposing sensitive application data or allowing unintended filesystem access within affected Django applications.
This issue arises from unsafe dependency on shared process-level permission state during filesystem object creation, enabling concurrent operations in multi-threaded environments to interfere with expected permission handling and create filesystem objects with unintended access permissions.
Mitigation
Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Django.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Tarek Nakkouch (finder)
