CVE-2026-24486
published 2026-01-27CVE-2026-24486: Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default…
PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
2.23%
80.5th percentile
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-multipart | < python-multipart 0.0.20-1.1 (forky) | python-multipart 0.0.20-1.1 (forky) |
| fastapiexpert | python-multipart | < 0.0.22 | 0.0.22 |
| kludex | python-multipart | < 0.0.22 | 0.0.22 |
| kludex | python-multipart | >= 0 < 0.0.20-1.1~deb13u1 | 0.0.20-1.1~deb13u1 |
| kludex | python-multipart | >= 0 < 0.0.20-1.1 | 0.0.20-1.1 |
| kludex | python-multipart | >= 0 < 0.0.22 | 0.0.22 |
| kludex | python-multipart | >= 0 < 0.0.5-2ubuntu0.1~esm1 | 0.0.5-2ubuntu0.1~esm1 |
| kludex | python-multipart | >= 0 < 0.0.9-1ubuntu0.1~esm1 | 0.0.9-1ubuntu0.1~esm1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered only when both non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True` are set; detect/alert on applications using this combination with python-multipart prior to 0.0.22 ↗
- →Attack vector is a crafted malicious filename in a multipart file upload request; inspect multipart Content-Disposition filename fields for path traversal sequences (e.g., `../`, absolute paths, null bytes) ↗
- →Successful exploitation can result in remote code execution via arbitrary file write outside the upload directory; monitor for unexpected file creation outside the configured UPLOAD_DIR ↗
- →Sanitization bypass check: safe applications should apply `os.path.basename(file.filename)` to strip path components; absence of this or equivalent sanitization indicates exploitable code paths ↗
- ·Vulnerability only manifests when BOTH `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True` are configured; default configurations are NOT affected ↗
- ·Workaround (without patching) is to avoid using `UPLOAD_KEEP_FILENAME=True`; disabling this option alone prevents the path traversal ↗
- ·The exploit PoC targets python-multipart versions prior to 0.0.22; the fix is available in 0.0.22 ↗
- ·Several Red Hat packages are listed as 'Not affected' (e.g., openshift-lightspeed/lightspeed-ocp-rag-rhel9) while others are 'Affected'; scope of impact varies by container image ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Kludex python-multipart up to 0.0.21 Filename path traversal (EDB-52543 / Nessus ID 296740)
vuldb·2026-06-30·CVSS 7.5
CVE-2026-24486 [HIGH] Kludex python-multipart up to 0.0.21 Filename path traversal (EDB-52543 / Nessus ID 296740)
A vulnerability was found in Kludex python-multipart up to 0.0.21 and classified as critical. This impacts an unknown function of the component Filename Handler. Executing a manipulation can lead to path traversal.
The identification of this vulnerability is CVE-2026-24486. The attack may be launched remotely. Furthermore, there is an exploit available.
It is suggested to upgrade the affected component.
OSV
python-multipart vulnerabilities
osv·2026-02-11·CVSS 7.5
CVE-2024-24762 [HIGH] python-multipart vulnerabilities
python-multipart vulnerabilities
It was discovered that Python-Multipart incorrectly handled certain
regular expressions. An attacker could possibly use this issue to cause
Python-Multipart to consume excessive resources, leading to a regular
expression denial of service. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-24762)
It was discovered that Python-Multipart did not properly sanitize line
breaks during user input. An attacker could use this issue to send
arbitrary input, thus preventing other requests from being processed,
resulting in a denial of service. This issue was only fixed in
Ubuntu 24.04 LTS. (CVE-2024-53981)
It was discovered that Python-Multipart was vulnerable to path traversal
attacks. An attacker could possibly craft and upload files outside the
target directo
OSV
CVE-2026-24486: Python-Multipart is a streaming multipart parser for Python
osv·2026-01-27·CVSS 7.5
CVE-2026-24486 [HIGH] CVE-2026-24486: Python-Multipart is a streaming multipart parser for Python
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
GHSA
Python-Multipart has Arbitrary File Write via Non-Default Configuration
ghsa·2026-01-26
CVE-2026-24486 [HIGH] CWE-22 Python-Multipart has Arbitrary File Write via Non-Default Configuration
Python-Multipart has Arbitrary File Write via Non-Default Configuration
### Summary
A Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.
### Details
When `UPLOAD_DIR` is set and `UPLOAD_KEEP_FILENAME` is `True`, the library constructs the file path using `os.path.join(file_dir, fname)`. Due to the behavior of `os.path.join()`, if the filename begins with a `/`, all preceding path components are discarded:
```py
os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious"
```
This allows an attacker to bypass the intended upload directory and write files to arbitrary paths.
#### Affected Config
OSV
Python-Multipart has Arbitrary File Write via Non-Default Configuration
osv·2026-01-26
CVE-2026-24486 [HIGH] Python-Multipart has Arbitrary File Write via Non-Default Configuration
Python-Multipart has Arbitrary File Write via Non-Default Configuration
### Summary
A Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.
### Details
When `UPLOAD_DIR` is set and `UPLOAD_KEEP_FILENAME` is `True`, the library constructs the file path using `os.path.join(file_dir, fname)`. Due to the behavior of `os.path.join()`, if the filename begins with a `/`, all preceding path components are discarded:
```py
os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious"
```
This allows an attacker to bypass the intended upload directory and write files to arbitrary paths.
#### Affected Config
Ubuntu
Python-Multipart vulnerabilities
vendor_ubuntu·2026-02-11·CVSS 7.5
CVE-2024-53981 [HIGH] Python-Multipart vulnerabilities
Title: Python-Multipart vulnerabilities
Summary: Several security issues were fixed in Python-Multipart.
It was discovered that Python-Multipart incorrectly handled certain
regular expressions. An attacker could possibly use this issue to cause
Python-Multipart to consume excessive resources, leading to a regular
expression denial of service. This issue only affected Ubuntu 22.04 LTS.
(CVE-2024-24762)
It was discovered that Python-Multipart did not properly sanitize line
breaks during user input. An attacker could use this issue to send
arbitrary input, thus preventing other requests from being processed,
resulting in a denial of service. This issue was only fixed in
Ubuntu 24.04 LTS. (CVE-2024-53981)
It was discovered that Python-Multipart was vulnerable to path traversal
attacks. An
Red Hat
python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability
vendor_redhat·2026-01-27·CVSS 8.6
CVE-2026-24486 [HIGH] CWE-22 python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability
python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
A flaw was found in Python-Multipart, a tool for parsing multipart form data in Python applications. This vulnerability, known as path traversal, allows a remote attacker to write uploaded files to any location on the server's file sys
Debian
CVE-2026-24486: python-multipart - Python-Multipart is a streaming multipart parser for Python. Prior to version 0....
vendor_debian·2026·CVSS 8.6
CVE-2026-24486 [HIGH] CVE-2026-24486: python-multipart - Python-Multipart is a streaming multipart parser for Python. Prior to version 0....
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 0.0.20-1.1)
sid: resolved (fixed in 0.0.20-1.1)
trixie: resolved (fixed in 0.0.20-1.1~deb13u1)
No detection rules found.
Wiz
CVE-2026-24486 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-24486 [HIGH] CVE-2026-24486 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24486 :
Python vulnerability analysis and mitigation
UPLOAD_DIR
UPLOAD_KEEP_FILENAME=True
UPLOAD_KEEP_FILENAME=True
Source : NVD
## 7.5
Score
Published January 27, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
airflow-3
open-webui
Sources
NVD
Alpine 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Feb 18, 2026
Chainguard Has Fix Added at: Jan 28, 2026
Debian 11, 12 Severity MEDIUM No Fix Added at: Jan 27, 2026
Debian 13, 14 Severity HIGH Has Fix Added at: Jan 27, 2026
Echo Severity HIGH Has Fix Added at
Bugzilla
CVE-2026-24486 python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability
bugzilla·2026-01-27·CVSS 7.5
CVE-2026-24486 [HIGH] CVE-2026-24486 python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability
CVE-2026-24486 python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4https://github.com/Kludex/python-multipart/releases/tag/0.0.22https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfghttps://access.redhat.com/errata/RHSA-2026:10184https://access.redhat.com/errata/RHSA-2026:1504https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:3461https://access.redhat.com/errata/RHSA-2026:3462https://access.redhat.com/errata/RHSA-2026:3713https://access.redhat.com/errata/RHSA-2026:3782https://access.redhat.com/errata/RHSA-2026:3960https://access.redhat.com/security/cve/CVE-2026-24486https://bugzilla.redhat.com/show_bug.cgi?id=2433132https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24486.json
2026-01-27
Published