PatchSiren cyber security CVE debrief
CVE-2026-24486 Kludex CVE debrief
CVE-2026-24486 is a Path Traversal vulnerability in Python-Multipart, a streaming multipart parser for Python. Prior to version 0.0.22, when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`, an attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch. As a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations. The vulnerability has a CVSS score of 8.6 and is considered HIGH severity. The CVE was published on January 27, 2026, and last modified on June 30, 2026.
- Vendor
- Kludex
- Product
- python-multipart
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-27
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Python-Multipart in their projects should be aware of this vulnerability and take necessary actions to mitigate it. This includes upgrading to version 0.0.22 or applying the recommended workaround. Additionally, users of Red Hat products may be affected, as indicated by multiple Red Hat errata references.
Technical summary
The Path Traversal vulnerability in Python-Multipart allows an attacker to write uploaded files to arbitrary locations on the filesystem. This is possible when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. The vulnerability is addressed in version 0.0.22 of Python-Multipart. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L, indicating a high severity vulnerability.
Defensive priority
This vulnerability should be prioritized for remediation due to its high severity and potential impact on affected systems. Upgrading to version 0.0.22 of Python-Multipart is recommended.
Recommended defensive actions
- Upgrade to version 0.0.22 of Python-Multipart
- Avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations
- Review and apply Red Hat errata updates if applicable
- Monitor for suspicious file uploads and system changes
- Implement additional security controls to prevent file upload abuse
Evidence notes
The CVE-2026-24486 record was published on January 27, 2026, and last modified on June 30, 2026. The vulnerability is described in multiple sources, including the NVD and GitHub advisory GHSA-wp53-j4wj-2cfg. Red Hat has also published multiple errata references related to this vulnerability.
Official resources
-
CVE-2026-24486 CVE record
CVE.org
-
CVE-2026-24486 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.