Description
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
Published: 2026-01-27
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

Python-Multipart, a multipart parser used in Python web projects, contains a Path Traversal flaw when its non-default settings allow the original file name to be preserved. The flaw enables an attacker to craft a malicious file name and cause the parser to write the uploaded content to an arbitrary path on the host system. This can lead to overwriting or creating critical files, potentially affecting confidentiality, integrity, or availability. The weakness is classified as CWE‑22, a classic file path manipulation vulnerability.

Affected Systems

The vendor of this package is Kludex, with the product named python‑multipart. Software using earlier releases of python‑multipart before version 0.0.22 is affected. The affected configuration relies on an explicit UPLOAD_DIR and the flag UPLOAD_KEEP_FILENAME set to true. The Common Platform Enumeration indicates use in Python environments, typically within the FastAPI ecosystem.

Risk and Exploitability

The scoring model gives a CVSS score of 8.6, indicating high severity, while the EPSS score is less than 1%, suggesting a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector would involve uploading a crafted multipart payload to a service that has enabled the risky configuration, allowing the attacker to write files wherever the process has permission. Although exploitation is currently unlikely, the potential impact of arbitrary write and the high severity mean it should be treated with priority.

Generated by OpenCVE AI on April 18, 2026 at 02:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to python‑multipart version 0.0.22 or later
  • If an upgrade is not yet possible, disable the UPLOAD_KEEP_FILENAME option or revert to the default configuration that does not preserve the client‑supplied file name
  • Ensure that any configuration which allows file uploads is properly validated or that the upload directory is owned by a non‑privileged user and has strict permissions

Generated by OpenCVE AI on April 18, 2026 at 02:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wp53-j4wj-2cfg Python-Multipart has Arbitrary File Write via Non-Default Configuration
Ubuntu USN Ubuntu USN USN-8027-1 Python-Multipart vulnerabilities
History

Tue, 17 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiexpert
Fastapiexpert python-multipart
CPEs cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*
Vendors & Products Fastapiexpert
Fastapiexpert python-multipart

Wed, 28 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Kludex
Kludex python-multipart
Vendors & Products Kludex
Kludex python-multipart

Tue, 27 Jan 2026 01:00:00 +0000

Type Values Removed Values Added
Description Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
Title Python-Multipart has Arbitrary File Write via Non-Default Configuration
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Fastapiexpert Python-multipart
Kludex Python-multipart
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T20:51:06.407Z

Reserved: 2026-01-23T00:38:20.548Z

Link: CVE-2026-24486

cve-icon Vulnrichment

Updated: 2026-01-27T20:51:01.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T01:16:02.303

Modified: 2026-02-17T20:44:50.210

Link: CVE-2026-24486

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-27T00:34:06Z

Links: CVE-2026-24486 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses