PYSEC-2026-1852

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/python-multipart/PYSEC-2026-1852.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1852
Aliases
Published
2026-07-07T16:03:20.509610Z
Modified
2026-07-07T17:48:07.217083848Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator
Summary
Python-Multipart has Arbitrary File Write via Non-Default Configuration
Details

Summary

A Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.

Details

When UPLOAD_DIR is set and UPLOAD_KEEP_FILENAME is True, the library constructs the file path using os.path.join(file_dir, fname). Due to the behavior of os.path.join(), if the filename begins with a /, all preceding path components are discarded:

os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious"

This allows an attacker to bypass the intended upload directory and write files to arbitrary paths.

Affected Configuration

Projects are only affected if all of the following are true:
- UPLOAD_DIR is set - UPLOAD_KEEP_FILENAME is set to True - The uploaded file exceeds MAX_MEMORY_FILE_SIZE (triggering a flush to disk)

The default configuration is not vulnerable.

Impact

Arbitrary file write to attacker-controlled paths on the filesystem.

Mitigation

Upgrade to version 0.0.22, or avoid using UPLOAD_KEEP_FILENAME=True in project configurations.

References

Affected packages

PyPI / python-multipart

Package

Name
python-multipart
View open source insights on deps.dev
Purl
pkg:pypi/python-multipart

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.22

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/python-multipart/PYSEC-2026-1852.yaml"