CVE-2026-24486
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Summary
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using UPLOAD_KEEP_FILENAME=True in project configurations.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Kludex | python-multipart | < 0.0.22 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability
Additional References
- https://access.redhat.com/security/cve/CVE-2026-24486
- https://bugzilla.redhat.com/show_bug.cgi?id=2433132
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24486.json
- https://access.redhat.com/errata/RHSA-2026:3461
- https://access.redhat.com/errata/RHSA-2026:3462
- https://access.redhat.com/errata/RHSA-2026:3960
- https://access.redhat.com/errata/RHSA-2026:10184
- https://access.redhat.com/errata/RHSA-2026:3782
- https://access.redhat.com/errata/RHSA-2026:19712
- https://access.redhat.com/errata/RHSA-2026:3713
- https://access.redhat.com/errata/RHSA-2026:1504
References
- https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
- https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
- https://github.com/Kludex/python-multipart/releases/tag/0.0.22
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.