CVE-2026-24486
Path Traversal in Python-Multipart Allows Arbitrary File Write
Publication date: 2026-01-27
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastapiexpert | python-multipart | to 0.0.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24486 is a path traversal vulnerability in the python-multipart package versions prior to 0.0.22. It occurs when the configuration uses both UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. In this case, if an uploaded file's name starts with a forward slash (/), the library's path joining logic discards the intended upload directory path, allowing an attacker to write files to arbitrary locations on the filesystem by crafting malicious filenames. This vulnerability only affects users with this specific configuration and when the uploaded file size exceeds the memory limit, causing the file to be saved to disk. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker to write files to arbitrary locations on the filesystem without requiring privileges or user interaction. While the confidentiality impact is low, the integrity impact is high because attackers can overwrite or place files in sensitive locations, potentially leading to system compromise or disruption of service. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your python-multipart package version is 0.0.21 or earlier and if your configuration uses both UPLOAD_DIR set and UPLOAD_KEEP_FILENAME=True. Additionally, you can look for uploaded files with filenames starting with a forward slash (/) which may indicate exploitation attempts. Since the vulnerability involves arbitrary file writes via crafted filenames, monitoring file creation outside the intended upload directory could help detect it. Specific commands are not provided in the resources, but you can check the installed package version with `pip show python-multipart` and inspect your application configuration files for the mentioned settings. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the python-multipart package to version 0.0.22 or later. If upgrading is not possible right away, avoid using the configuration option UPLOAD_KEEP_FILENAME=True while UPLOAD_DIR is set. This prevents the vulnerability from being exploitable. The patch sanitizes filenames to prevent directory traversal by extracting only the basename of uploaded files. [1, 2]