CVE-2026-42561
published 2026-05-13CVE-2026-42561: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.55%
41.8th percentile
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-25 | lightspeed-chatbot-rhel8 | — | — |
| ansible-automation-platform-26 | lightspeed-chatbot-rhel9 | — | — |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| kludex | python-multipart | < 0.0.27 | 0.0.27 |
| kludex | python-multipart | >= 0 < 0.0.27 | 0.0.27 |
| mta | mta-solution-server-rhel9 | — | — |
| openshift-lightspeed | lightspeed-ocp-rag-rhel9 | — | — |
| openshift-lightspeed | lightspeed-service-api-rhel9 | — | — |
| rhaiis | vllm-cpu-rhel9 | — | — |
| rhaiis | vllm-neuron-rhel9 | — | — |
| rhaiis | vllm-spyre-rhel9 | — | — |
| rhaiis | vllm-tpu-rhel9 | — | — |
| rhelai3 | bootc-aws-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-rocm-rhel9 | — | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-gcp-cuda-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhoai | odh-caikit-nlp-rhel9 | — | — |
| rhoai | odh-caikit-tgis-serving-rhel9 | — | — |
| rhoai | odh-kserve-agent-rhel9 | — | — |
| rhoai | odh-kserve-controller-rhel9 | — | — |
| rhoai | odh-kserve-router-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
python-multipart has Denial of Service via unbounded multipart part headers
ghsa·2026-05-06
CVE-2026-42561 [HIGH] CWE-770 python-multipart has Denial of Service via unbounded multipart part headers
python-multipart has Denial of Service via unbounded multipart part headers
### Summary
`python-multipart` has a denial of service vulnerability in multipart part header parsing. When parsing `multipart/form-data`, `MultipartParser` previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion.
### Impact
Applications that parse attacker-controlled `multipart/form-data` with affected versions of `python-multipart` can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke `python-multipart` may have wo
Red Hat
python-multipart: python-multipart: Denial of Service via excessive multipart part headers
vendor_redhat·2026-05-13·CVSS 7.5
CVE-2026-42561 [HIGH] CWE-606 python-multipart: python-multipart: Denial of Service via excessive multipart part headers
python-multipart: python-multipart: Denial of Service via excessive multipart part headers
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.
A flaw was found in python-multipart. A remote attacker can exploit this denial of service (DoS) vulnerability by sending a specially crafted reque
No detection rules found.
No public exploits indexed.
2026-05-13
Published