CVE-2026-3029
Received Received - Intake
Path Traversal and Arbitrary File Write in PyMuPDF

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: CERT/CC

Description
A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3029
EUVD
EUVD-2026-13117
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pymupdf pymupdf 1.26.5
pymupdf pymupdf 1.26.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-3029 is a vulnerability in PyMuPDF version 1.26.5 involving the embedded get function in the '_main_.py' file. It allows an attacker to perform path traversal and arbitrary file write during the extraction of embedded files from PDF documents."}, {'type': 'paragraph', 'content': "Specifically, the vulnerability arises because the 'embed-extract' command could write files outside the current working directory or overwrite existing files without proper checks, enabling directory traversal attacks or unintended file overwrites."}] [2]

Impact Analysis

This vulnerability can impact you by allowing malicious actors to overwrite important files or write files to arbitrary locations on your system when extracting embedded files from PDFs using PyMuPDF.

Such arbitrary file writes can lead to data loss, corruption, or potentially executing malicious code if critical system or application files are overwritten.

Compliance Impact

I don't know

Detection Guidance

This vulnerability relates to unsafe extraction of embedded files using the PyMuPDF `embed-extract` command, which can lead to directory traversal or arbitrary file overwrite.

To detect if your system is vulnerable, you can check if you are using PyMuPDF version 1.26.5 or earlier, as the fix was introduced in version 1.26.6.

You can test the behavior of the `embed-extract` command by attempting to extract embedded files with potentially unsafe filenames, such as those containing directory traversal sequences (e.g., `../../test.txt`).

Example command to test extraction (replace `file.pdf` with your PDF file):

  • python -m pymupdf embed-extract file.pdf

If the extraction refuses to write files outside the current directory or refuses to overwrite existing files without the `-unsafe` flag, your version includes the fix. If it allows these unsafe operations, your version is vulnerable.

Mitigation Strategies

The primary mitigation is to upgrade PyMuPDF to version 1.26.6 or later, where the vulnerability has been fixed.

If upgrading is not immediately possible, avoid using the `embed-extract` command without the default safety checks.

Specifically, do not use the `-unsafe` flag when extracting embedded files, as this flag overrides safety restrictions and can allow directory traversal or file overwrites.

Additionally, monitor and restrict file extraction operations to trusted PDF files only, and ensure that extraction commands do not run with elevated privileges that could increase the impact of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3029. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart