PatchSiren cyber security CVE debrief
CVE-2026-8328 Python Software Foundation CVE debrief
CVE-2026-8328 is a medium-severity vulnerability in Python's ftplib module, specifically within the ftpcp() function. The issue represents an incomplete fix for CVE-2021-4189: while makepasv() was patched to prevent server-supplied PASV host address spoofing by substituting the actual peer address, ftpcp() was overlooked and continues to call parse227() directly. This allows an attacker-controllable IP address and port from a malicious FTP server to be passed to target.sendport(), potentially enabling Server-Side Request Forgery (SSRF) or traffic redirection attacks. The vulnerability is classified under CWE-918 (Server-Side Request Forgery). The issue was published on 2026-05-13 and last modified on 2026-06-10. Multiple commits addressing this vulnerability have been identified in the CPython repository.
- Vendor
- Python Software Foundation
- Product
- CPython
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-06-10
Who should care
Organizations running Python applications that use ftplib.ftpcp() to transfer files between FTP servers, particularly those connecting to untrusted or internet-facing FTP servers. Security teams monitoring for SSRF vulnerabilities and developers maintaining legacy Python FTP automation should prioritize this fix.
Technical summary
The ftpcp() function in Python's Lib/ftplib.py fails to apply the same peer-address validation that was added to makepasv() in the CVE-2021-4189 fix. When processing PASV responses, ftpcp() directly invokes parse227() and forwards the resulting attacker-controlled IP address and port to target.sendport(), bypassing the getpeername()[0] substitution that prevents address spoofing. This creates a Server-Side Request Forgery vector where a malicious FTP server can redirect client connections to arbitrary hosts and ports.
Defensive priority
medium
Recommended defensive actions
- Apply the relevant CPython patches from the identified GitHub commits to ensure ftpcp() uses the actual peer address rather than server-supplied PASV addresses
- Upgrade to a Python version that includes the complete fix for this vulnerability once available
- Review custom or third-party code that uses ftplib.ftpcp() for similar patterns that may trust server-supplied addresses
- Implement network segmentation to restrict FTP client connections to trusted servers where possible
- Monitor for anomalous outbound connections from applications using ftplib that may indicate SSRF exploitation attempts
Evidence notes
The CVE description explicitly states that ftpcp() was not updated when CVE-2021-4189 was fixed, and that it continues to pass raw attacker-controllable IP addresses and ports to target.sendport(). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), attacker execution time present (AT:P), no privileges required (PR:N), user interaction required (UI:A), with high integrity impact to the vulnerable system (VI:H). The weakness is identified as CWE-918. Five GitHub commits and one pull request are referenced as remediation evidence.
Official resources
2026-05-13T21:16:50.167Z