CVE-2026-24486

HighPublic PoC

Published: 27 January 2026

Published

27 January 2026

Modified

17 February 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

EPSS Score 0.0096 76.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a…

malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the path traversal by requiring timely remediation of the flaw through upgrading Python-Multipart to version 0.0.22.

SI-10 Information Input Validation good match

prevent

Requires validation of uploaded filenames to reject those containing path traversal sequences like '../', preventing arbitrary file writes.

CM-6 Configuration Settings good match

prevent

Ensures secure configuration settings by prohibiting the use of vulnerable non-default options like UPLOAD_KEEP_FILENAME=True.

Security SummaryAI

CVE-2026-24486 is a Path Traversal vulnerability (CWE-22) affecting Python-Multipart, a streaming multipart parser library for Python. The issue exists in versions prior to 0.0.22 when developers configure the non-default options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. In this setup, the library fails to properly sanitize filenames in multipart uploads, allowing traversal outside the intended upload directory.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L). By crafting a malicious filename in an uploaded file—such as one containing `../` sequences—the attacker can write the file to arbitrary locations on the server's filesystem, potentially leading to high integrity impacts like overwriting critical files, alongside low confidentiality and availability effects.

The python-multipart security advisory (GHSA-wp53-j4wj-2cfg), release notes for version 0.0.22, and the patching commit (9433f4bbc9652bdde82bbe380984e32f8cfc89c4) on GitHub recommend upgrading to version 0.0.22, which addresses the flaw. As a workaround, avoid enabling `UPLOAD_KEEP_FILENAME=True` in configurations.

Details

CWE(s): CWE-22

Affected Products

fastapiexpert

python-multipart

≤ 0.0.22

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in Python-Multipart enables unauthenticated remote file write to arbitrary locations via public-facing multipart upload endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
Patch · security-advisories@github.com
https://github.com/Kludex/python-multipart/releases/tag/0.0.22
Product, Release Notes · security-advisories@github.com
https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
Exploit, Vendor Advisory · security-advisories@github.com