An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's temporary `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-9b7a6474a1 advisory.

    - Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit     bypass
    - Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
    - Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in     UpdateCacheMiddleware
    - Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
    - Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
    - Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
    - Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded     file upload
    - Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit     bypass
    - Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-4d1404fc5d advisory.

    - Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit     bypass
    - Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
    - Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in     UpdateCacheMiddleware
    - Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
    - Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
    - Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
    - Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded     file upload
    - Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit     bypass
    - Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-de6e24ae07 advisory.

    - Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit     bypass
    - Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
    - Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in     UpdateCacheMiddleware
    - Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
    - Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
    - Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
    - Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded     file upload
    - Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit     bypass
    - Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-b9548393aa advisory.

    - Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit     bypass
    - Fixes CVE-2026-35192: Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
    - Fixes CVE-2026-6907: Potential exposure of private data due to incorrect handling of Vary: * in     UpdateCacheMiddleware
    - Fixes CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
    - Fixes CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
    - Fixes CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
    - Fixes CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded     file upload
    - Fixes CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit     bypass
    - Fixes CVE-2026-25674: Potential incorrect permissions on newly created file system objects


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20373-1 advisory.

    Changes in python-Django:

    - CVE-2026-25674: Fixed race condition which can lead to potential incorrect permissions on newly created     file system objects (bsc#1259142)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:0821-1 advisory.

    This update for python-Django fixes the following issue:

    - CVE-2026-25674: race condition can lead to potential incorrect permissions on newly created file system     objects       (bsc#1259142).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in     file-system storage and file-based cache backends in Django allows an attacker to cause file system     objects to be created with incorrect permissions via concurrent requests, where one thread's temporary     `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series     (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank     Tarek Nakkouch for reporting this issue. (CVE-2026-25674)

Note that Nessus relies on the presence of the package as reported by the vendor.

The detected version of the Django Python package, is 4.2.x prior to 4.2.29, 5.2.x prior to 5.2.12, or 6.0.x prior to 6.0.3. It is, therefore, affected by a race condition vulnerability as referenced by security release advisory:

  - An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in     file-system storage and file-based cache backends in Django allows an attacker to cause file system     objects to be created with incorrect permissions via concurrent requests, where one thread's temporary     `umask` change affects other threads in multi-threaded environments. Earlier, unsupported Django series     (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. (CVE-2026-25674)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
315986	Fedora 44 : python-django5 (2026-9b7a6474a1)	Nessus	Fedora Local Security Checks	medium
315981	Fedora 43 : python-django5 (2026-4d1404fc5d)	Nessus	Fedora Local Security Checks	medium
315959	Fedora 44 : python-django6 (2026-de6e24ae07)	Nessus	Fedora Local Security Checks	medium
314604	Fedora 42 : python-django5 (2026-b9548393aa)	Nessus	Fedora Local Security Checks	medium
303004	openSUSE 16 Security Update : python-Django (openSUSE-SU-2026:20373-1)	Nessus	SuSE Local Security Checks	low
301301	SUSE SLES15 / openSUSE 15 Security Update : python-Django (SUSE-SU-2026:0821-1)	Nessus	SuSE Local Security Checks	low
300925	Linux Distros Unpatched Vulnerability : CVE-2026-25674	Nessus	Misc.	low
300914	Python Library Django 4.2.x < 4.2.29 / 5.2.x < 5.2.12 / 6.0.x < 6.0.3 Race Condition	Nessus	Misc.	low

Detections

Analytics

CVE-2026-25674

low

Tenable Plugins

medium

medium

medium

medium

low

low

low

low