From 604695cddb41981b84a8d976d1f4c74c39e112b0 Mon Sep 17 00:00:00 2001
From: Shai Berger <shai@platonix.com>
Date: Tue, 28 Apr 2026 11:59:06 +0300
Subject: Refs CVE-2026-25674 -- Clarified role of umask in upload permissions.

---
 docs/ref/settings.txt | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index c4e2c6f2c3..74a5b71d10 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -1636,6 +1636,12 @@ when using the :djadmin:`collectstatic` management command. See
     modes must be specified. If you try to use ``644``, you'll get totally
     incorrect behavior.
 
+.. admonition:: A numeric value trumps umask
+
+    When this setting has a numeric value (one you've set yourself, or the
+    default ``0o644``), this value will be used as is, and a umask will not
+    be applied to it. The umask will apply only if this setting is ``None``.
+
 .. setting:: FILE_UPLOAD_TEMP_DIR
 
 ``FILE_UPLOAD_TEMP_DIR``
-- 
cgit v1.3