PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24486 Kludex CVE debrief

CVE-2026-24486 is a Path Traversal vulnerability in Python-Multipart, a streaming multipart parser for Python. Prior to version 0.0.22, when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`, an attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch. As a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations. The vulnerability has a CVSS score of 8.6 and is considered HIGH severity. The CVE was published on January 27, 2026, and last modified on June 30, 2026.

Vendor
Kludex
Product
python-multipart
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-27
Original CVE updated
2026-06-30
Advisory published
2026-01-27
Advisory updated
2026-06-30

Who should care

Developers and administrators using Python-Multipart in their projects should be aware of this vulnerability and take necessary actions to mitigate it. This includes upgrading to version 0.0.22 or applying the recommended workaround. Additionally, users of Red Hat products may be affected, as indicated by multiple Red Hat errata references.

Technical summary

The Path Traversal vulnerability in Python-Multipart allows an attacker to write uploaded files to arbitrary locations on the filesystem. This is possible when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. The vulnerability is addressed in version 0.0.22 of Python-Multipart. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L, indicating a high severity vulnerability.

Defensive priority

This vulnerability should be prioritized for remediation due to its high severity and potential impact on affected systems. Upgrading to version 0.0.22 of Python-Multipart is recommended.

Recommended defensive actions

  • Upgrade to version 0.0.22 of Python-Multipart
  • Avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations
  • Review and apply Red Hat errata updates if applicable
  • Monitor for suspicious file uploads and system changes
  • Implement additional security controls to prevent file upload abuse

Evidence notes

The CVE-2026-24486 record was published on January 27, 2026, and last modified on June 30, 2026. The vulnerability is described in multiple sources, including the NVD and GitHub advisory GHSA-wp53-j4wj-2cfg. Red Hat has also published multiple errata references related to this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.