2433132 – (CVE-2026-24486) CVE-2026-24486 python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability

Bug 2433132 (CVE-2026-24486) - CVE-2026-24486 python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability

Summary: CVE-2026-24486 python-multipart: Python-Multipart: Arbitrary file write via p...

Keywords:
Status:	NEW
Alias:	CVE-2026-24486
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2433371 2433372 2433373 2433374
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-27 01:01 UTC by OSIDB Bzimport
Modified:	2026-01-27 14:32 UTC (History)
CC List:	51 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-27 01:01:23 UTC

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
alinfoot
anpicker
anthomas
aprice
bbrownin
bparees
dfreiber
drow
dtrifiro
ebourniv
ehelms
ggainey
hasun
jburrell
jdobes
jfula
jkoehler
jowilson
jsamir
juwatts
jwong
kaycoth
kshier
lgallett
lphiri
mhayden
mhulan
nmoumoul
nyancey
oezr
omaciel
ometelka
orabin
osousa
pcreech
ptisnovs
rbryant
rchan
sbunciak
sdoran
smallamp
stcannon
syedriko
teagle
tmalecek
ttakamiy
vkumar
weaton
xdharmai
yguenane