CVE-2026-25674 is a concurrency-related vulnerability classified under CWE-362 (Race Condition) found in the Django web framework's file-system storage and file-based cache backends. The issue stems from the way Django temporarily changes the process umask—a setting that controls default file permissions—during file creation. In multi-threaded environments, concurrent requests can cause the temporary umask change in one thread to inadvertently affect other threads, leading to files being created with incorrect or overly permissive permissions. This race condition can result in unauthorized users gaining access to sensitive files or modifying files they should not have access to. The vulnerability affects Django versions 6.0 prior to 6.0.3, 5.2 prior to 5.2.12, and 4.2 prior to 4.2.29. Unsupported earlier versions such as 5.0.x, 4.1.x, and 3.2.x may also be vulnerable but were not formally evaluated. The flaw was responsibly disclosed by researcher Tarek Nakkouch. While no public exploits have been observed, the vulnerability poses a significant risk in environments where Django is deployed with multi-threaded request handling and file-based storage or caching. The absence of a CVSS score indicates that severity assessment must consider the potential for privilege escalation and data confidentiality breaches due to improper file permissions.

The primary impact of this vulnerability is the potential for unauthorized access or modification of files due to incorrect file permissions set by concurrent requests exploiting the race condition. This can lead to confidentiality breaches if sensitive files become accessible to unauthorized users, integrity issues if files are modified maliciously, and potentially availability concerns if critical files are corrupted or deleted. Organizations running Django applications that rely on file-system storage or file-based caching in multi-threaded environments are at risk. Attackers with the ability to send concurrent requests to the application could exploit this flaw to escalate privileges or access sensitive data. The scope includes any Django deployment using affected versions and configurations, which is significant given Django's widespread use in web applications globally. The lack of known exploits in the wild suggests the vulnerability is not yet actively exploited, but the risk remains high due to the ease of triggering concurrent requests in web environments.

Organizations should immediately upgrade affected Django versions to the patched releases: 6.0.3 or later, 5.2.12 or later, and 4.2.29 or later. If upgrading is not immediately feasible, mitigate risk by avoiding multi-threaded deployment configurations that handle concurrent requests affecting file creation or caching, or by switching to alternative storage and caching backends that do not rely on file-system permissions. Implement strict file permission auditing and monitoring to detect anomalous permission changes. Additionally, consider isolating Django application processes to minimize the impact of improper umask changes across threads. Review application code and deployment environments for any custom file permission handling that could exacerbate the issue. Employ runtime security tools to detect race conditions or unexpected file permission changes. Finally, maintain robust access controls and logging to quickly identify and respond to any exploitation attempts.