PYSEC-2026-1494

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/kinto-attachment/PYSEC-2026-1494.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1494
Aliases
Published
2026-07-07T11:45:32.451178Z
Modified
2026-07-07T17:46:46.048191780Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
Summary
Kinto Attachment's attachments can be replaced on read-only records
Details

Impact

The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent (collection or bucket).

And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request.

Note that if the parent has no explicit read permission, then the records attachments are safe.

Patches

  • Patch released in kinto-attachment 6.4.0
  • https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1

Workarounds

None if the read permission has to remain granted.

Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended.

References

  • https://bugzilla.mozilla.org/show_bug.cgi?id=1879034
References

Affected packages

PyPI / kinto-attachment

Package

Name
kinto-attachment
View open source insights on deps.dev
Purl
pkg:pypi/kinto-attachment

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.4.0

Affected versions

0.*
0.1.0.dev0
0.1.0
0.2.0
0.3.0
0.4.0
0.5.0.dev0
0.5.0
0.5.1
0.6.0
0.7.0
0.7.1
0.8.0
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
2.*
2.0.0
2.0.1
2.1.0
3.*
3.0.0
3.0.1
4.*
4.0.0
5.*
5.0.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.2.0
6.3.0
6.3.1
6.3.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/kinto-attachment/PYSEC-2026-1494.yaml"