Description
django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILES. Depending on how files are handled, this may lead to confidentiality and integrity issues. This vulnerability is fixed in 7.0.2.
Published: 2026-05-12
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

django-s3file is a lightweight file‑upload component for Django that relies on Amazon S3. Prior to version 7.0.2, the S3FileMiddleware processes upload requests without validating the destination file path. An attacker can craft a request that manipulates a pre‑signed S3 upload URL, causing the middleware to load a file from an arbitrary filesystem location into request.FILES. This relative path traversal flaw is a classic example of CWE‑22 and CWE‑26. As a result, sensitive files can be read and application logic may inadvertently expose or modify data, leading to confidentiality and integrity problems.

Affected Systems

The issue affects the codingjoe django‑s3file package. All releases older than 7.0.2 are vulnerable. Organizations that have installed any earlier version of this package are exposed until the update is applied.

Risk and Exploitability

The CVSS score of 9.9 marks it as critical. The EPSS score is not available, so the current exploitation probability cannot be quantified, but the vulnerability is widely exploitable through normal HTTP traffic. It is not listed in CISA KEV, indicating no known public exploit at this time. However, an attacker only needs to send a crafted upload request, making the attack vector easy to construct and the impact severe. Prompt remediation is essential.

Generated by OpenCVE AI on May 12, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade django-s3file to version 7.0.2 or later.
  • If upgrade cannot be performed immediately, disable or remove S3FileMiddleware until the fix is deployed.
  • Add strict validation on file paths received in request.FILES, ensuring only expected directories are allowed and rejecting any traversal sequences.

Generated by OpenCVE AI on May 12, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-67qg-7284-2277 django-s3file is vulnerable to relative path traversal
History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILES. Depending on how files are handled, this may lead to confidentiality and integrity issues. This vulnerability is fixed in 7.0.2.
Title django-s3file: Relative path traversal
Weaknesses CWE-22
CWE-26
References
Metrics cvssV4_0

{'score': 9.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T20:58:02.872Z

Reserved: 2026-04-25T01:53:21.584Z

Link: CVE-2026-42196

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:34.193

Modified: 2026-05-12T22:16:34.193

Link: CVE-2026-42196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:45:15Z

Weaknesses