CVE-2026-40347: CWE-400: Uncontrolled Resource Consumption in Kludex python-multipart
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
AI Analysis
Technical Summary
The python-multipart library before version 0.0.26 has a vulnerability classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-834, where specially crafted multipart/form-data requests with large preamble or epilogue sections can cause a denial of service by exhausting resources during parsing. The fix in version 0.0.26 modifies the parser to skip ahead to the next boundary candidate when processing leading CR/LF data and to immediately discard epilogue data after the closing boundary, mitigating the resource exhaustion risk.
Potential Impact
Successful exploitation results in denial of service due to resource exhaustion when processing malicious multipart/form-data requests. There is no impact on confidentiality or integrity, only availability is affected. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade python-multipart to version 0.0.26 or later, where the vulnerability is fixed. Patch status is not explicitly confirmed by a vendor advisory, but the description clearly states that upgrading to 0.0.26 or later addresses the issue. Until upgrade, systems remain vulnerable to denial of service via crafted multipart requests.
CVE-2026-40347: CWE-400: Uncontrolled Resource Consumption in Kludex python-multipart
Description
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
CVSS v3.1
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The python-multipart library before version 0.0.26 has a vulnerability classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-834, where specially crafted multipart/form-data requests with large preamble or epilogue sections can cause a denial of service by exhausting resources during parsing. The fix in version 0.0.26 modifies the parser to skip ahead to the next boundary candidate when processing leading CR/LF data and to immediately discard epilogue data after the closing boundary, mitigating the resource exhaustion risk.
Potential Impact
Successful exploitation results in denial of service due to resource exhaustion when processing malicious multipart/form-data requests. There is no impact on confidentiality or integrity, only availability is affected. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade python-multipart to version 0.0.26 or later, where the vulnerability is fixed. Patch status is not explicitly confirmed by a vendor advisory, but the description clearly states that upgrading to 0.0.26 or later addresses the issue. Until upgrade, systems remain vulnerable to denial of service via crafted multipart requests.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T22:50:01.358Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e389f6bdfbbecc597650d2
Added to database: 4/18/2026, 1:41:10 PM
Last enriched: 4/26/2026, 2:41:31 AM
Last updated: 5/27/2026, 9:13:03 PM
Views: 97
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.