CVE-2026-25674 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2026-25674 Interim 1 1 2026-03-05T00:16:00Z current 2026-03-05T00:16:00Z 2026-03-05T00:16:00Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2026-25674 An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Package Hub 15 SP7 openSUSE Leap 15.6 openSUSE Tumbleweed python-Django python311-Django python311-Django-4.2.11-150600.3.50.1 python311-Django4-4.2.29-1.1 python313-Django4-4.2.29-1.1 python313-Django6-6.0.3-1.1 python311-Django4-4.2.29-1.1 as a component of openSUSE Tumbleweed python313-Django4-4.2.29-1.1 as a component of openSUSE Tumbleweed python313-Django6-6.0.3-1.1 as a component of openSUSE Tumbleweed python311-Django-4.2.11-150600.3.50.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python311-Django-4.2.11-150600.3.50.1 as a component of openSUSE Leap 15.6 python311-Django as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python-Django as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python311-Django as a component of openSUSE Leap 15.6 python-Django as a component of openSUSE Leap 15.6 An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. CVE-2026-25674 openSUSE Tumbleweed:python311-Django4-4.2.29-1.1 openSUSE Tumbleweed:python313-Django4-4.2.29-1.1 openSUSE Tumbleweed:python313-Django6-6.0.3-1.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.50.1 openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.50.1 moderate 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N