CVE-2026-53537
Analyzed Analyzed - Analysis Complete

Path Traversal in Python-Multipart

Vulnerability report for CVE-2026-53537, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 Β§4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-26
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fastapiexpert python-multipart to 0.0.30 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade the python-multipart library to version 0.0.30 or later.

The fixed version ignores extended parameters in Content-Disposition headers, ensuring that plain parameters remain authoritative and preventing attackers from smuggling different field names or filenames past upstream inspectors.

Impact Analysis

This vulnerability can allow attackers to bypass upstream security inspections by smuggling different field names or filenames to the backend server.

  • Bypassing access controls that rely on inspecting multipart/form-data fields.
  • Potential path traversal attacks through decoded sequences like ..%2F in filenames.
  • Confusion or unexpected behavior caused by decoded control bytes such as %00 in filenames.

Overall, this can lead to unauthorized access or manipulation of backend systems.

Executive Summary

CVE-2026-53537 is a vulnerability in the python-multipart library versions before 0.0.30. The issue arises because the library parses Content-Disposition headers using RFC 2231/5987 extended parameter syntax, which is not allowed by RFC 7578 Β§4.2 for multipart/form-data.

This parsing causes the extended parameters (like filename*=charset'lang'value) to override the plain parameters, allowing an attacker to smuggle different field names or filenames past upstream inspectors such as web application firewalls, proxies, or gateways. This means the backend may receive a different field name or filename than what the upstream components see.

This discrepancy can be exploited to bypass security controls or cause confusion in handling uploaded files.

Compliance Impact

The vulnerability in python-multipart involves the improper handling of extended parameters in multipart/form-data headers, which can be exploited to smuggle different field names or filenames past upstream inspectors to the backend.

This manipulation could potentially lead to bypassing access controls or path traversal attacks, which may result in unauthorized access or exposure of sensitive data.

Such unauthorized access or data exposure could negatively impact compliance with standards and regulations like GDPR or HIPAA, which require strict controls over personal and sensitive data to prevent breaches.

Therefore, this vulnerability poses a risk to maintaining compliance with these regulations by enabling attackers to circumvent security mechanisms designed to protect sensitive information.

Detection Guidance

This vulnerability involves the parsing of Content-Disposition headers with extended parameters in multipart/form-data requests. Detection involves inspecting HTTP traffic for multipart/form-data requests that include extended parameter syntax such as filename*=charset'lang'value or filename*0/filename*1 continuation forms.

You can detect potential exploitation attempts by searching for these extended parameters in HTTP requests passing through your network or system.

  • Use network traffic analysis tools like tcpdump or Wireshark to capture HTTP traffic and filter for multipart/form-data content.
  • Example tcpdump command to capture HTTP traffic on port 80: sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use grep or similar tools to search captured HTTP requests for the presence of 'filename*=' or 'name*=' strings, which indicate extended parameter usage.
  • Example grep command on a captured HTTP request log: grep -iE 'filename\*=|name\*=' captured_http_requests.log

Additionally, review your python-multipart library version in your environment. If it is prior to 0.0.30, it is vulnerable and should be upgraded.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart