CVE-2026-3029
Path Traversal and Arbitrary File Write in PyMuPDF
Publication date: 2026-03-19
Last updated on: 2026-03-24
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pymupdf | pymupdf | 1.26.5 |
| pymupdf | pymupdf | 1.26.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3029 is a vulnerability in PyMuPDF version 1.26.5 involving the embedded get function in the '_main_.py' file. It allows an attacker to perform path traversal and arbitrary file write during the extraction of embedded files from PDF documents."}, {'type': 'paragraph', 'content': "Specifically, the vulnerability arises because the 'embed-extract' command could write files outside the current working directory or overwrite existing files without proper checks, enabling directory traversal attacks or unintended file overwrites."}] [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing malicious actors to overwrite important files or write files to arbitrary locations on your system when extracting embedded files from PDFs using PyMuPDF.
Such arbitrary file writes can lead to data loss, corruption, or potentially executing malicious code if critical system or application files are overwritten.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to unsafe extraction of embedded files using the PyMuPDF `embed-extract` command, which can lead to directory traversal or arbitrary file overwrite.
To detect if your system is vulnerable, you can check if you are using PyMuPDF version 1.26.5 or earlier, as the fix was introduced in version 1.26.6.
You can test the behavior of the `embed-extract` command by attempting to extract embedded files with potentially unsafe filenames, such as those containing directory traversal sequences (e.g., `../../test.txt`).
Example command to test extraction (replace `file.pdf` with your PDF file):
- python -m pymupdf embed-extract file.pdf
If the extraction refuses to write files outside the current directory or refuses to overwrite existing files without the `-unsafe` flag, your version includes the fix. If it allows these unsafe operations, your version is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade PyMuPDF to version 1.26.6 or later, where the vulnerability has been fixed.
If upgrading is not immediately possible, avoid using the `embed-extract` command without the default safety checks.
Specifically, do not use the `-unsafe` flag when extracting embedded files, as this flag overrides safety restrictions and can allow directory traversal or file overwrites.
Additionally, monitor and restrict file extraction operations to trusted PDF files only, and ensure that extraction commands do not run with elevated privileges that could increase the impact of exploitation.