CVE-2026-24486
Unknown Unknown - Not Provided
Path Traversal in Python-Multipart Allows Arbitrary File Write

Publication date: 2026-01-27

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24486
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastapiexpert python-multipart to 0.0.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24486 is a path traversal vulnerability in the python-multipart package versions prior to 0.0.22. It occurs when the configuration uses both UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. In this case, if an uploaded file's name starts with a forward slash (/), the library's path joining logic discards the intended upload directory path, allowing an attacker to write files to arbitrary locations on the filesystem by crafting malicious filenames. This vulnerability only affects users with this specific configuration and when the uploaded file size exceeds the memory limit, causing the file to be saved to disk. [1, 2]

Impact Analysis

This vulnerability allows an attacker to write files to arbitrary locations on the filesystem without requiring privileges or user interaction. While the confidentiality impact is low, the integrity impact is high because attackers can overwrite or place files in sensitive locations, potentially leading to system compromise or disruption of service. [1]

Detection Guidance

This vulnerability can be detected by checking if your python-multipart package version is 0.0.21 or earlier and if your configuration uses both UPLOAD_DIR set and UPLOAD_KEEP_FILENAME=True. Additionally, you can look for uploaded files with filenames starting with a forward slash (/) which may indicate exploitation attempts. Since the vulnerability involves arbitrary file writes via crafted filenames, monitoring file creation outside the intended upload directory could help detect it. Specific commands are not provided in the resources, but you can check the installed package version with `pip show python-multipart` and inspect your application configuration files for the mentioned settings. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the python-multipart package to version 0.0.22 or later. If upgrading is not possible right away, avoid using the configuration option UPLOAD_KEEP_FILENAME=True while UPLOAD_DIR is set. This prevents the vulnerability from being exploitable. The patch sanitizes filenames to prevent directory traversal by extracting only the basename of uploaded files. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart