CVE-2026-53537
Received Received - Intake
Path Traversal in Python-Multipart

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 Β§4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-53537
EUVD
EUVD-2026-38324
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kludex python-multipart to 0.0.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade the python-multipart library to version 0.0.30 or later.

The fixed version ignores extended parameters in Content-Disposition headers, ensuring that plain parameters remain authoritative and preventing attackers from smuggling different field names or filenames past upstream inspectors.

Impact Analysis

This vulnerability can allow attackers to bypass upstream security inspections by smuggling different field names or filenames to the backend server.

  • Bypassing access controls that rely on inspecting multipart/form-data fields.
  • Potential path traversal attacks through decoded sequences like ..%2F in filenames.
  • Confusion or unexpected behavior caused by decoded control bytes such as %00 in filenames.

Overall, this can lead to unauthorized access or manipulation of backend systems.

Executive Summary

CVE-2026-53537 is a vulnerability in the python-multipart library versions before 0.0.30. The issue arises because the library parses Content-Disposition headers using RFC 2231/5987 extended parameter syntax, which is not allowed by RFC 7578 Β§4.2 for multipart/form-data.

This parsing causes the extended parameters (like filename*=charset'lang'value) to override the plain parameters, allowing an attacker to smuggle different field names or filenames past upstream inspectors such as web application firewalls, proxies, or gateways. This means the backend may receive a different field name or filename than what the upstream components see.

This discrepancy can be exploited to bypass security controls or cause confusion in handling uploaded files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart