PYSEC-2026-3428

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/wsgidav/PYSEC-2026-3428.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-3428
Aliases
Published
2026-07-13T15:46:16.868348Z
Modified
2026-07-13T16:33:27.849732925Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
WsgiDAV encoded dot segments can escape filesystem share roots
Details

Impact

WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.

Patches

The issue is fixed with version 4.3.4.

Preconditions

The practical impact depends on the deployment.

The deployment uses a filesystem-backed WsgiDAV share.

The attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.

Details

The issue is in FilesystemProvider._loc_to_file_path(). The method builds a candidate path with os.path.abspath(os.path.join(root_path, *path_parts)), then checks containment with file_path.startswith(root_path). This is not path-boundary aware. For example, if the configured share root is /tmp/share, a resolved sibling path such as /tmp/share_evil/secret.txt still starts with the string /tmp/share.

In a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.

The WSGI/server layer forwards the encoded dot segment to WsgiDAV's PATH_INFO. The local proof used /%2e%2e/..., which wsgiref passed through as /../....

A sibling or neighboring path exists whose absolute path starts with the configured root path string, such as /tmp/share and /tmp/share_evil.

The WsgiDAV process has OS permissions for the outside path.

References

Affected packages

PyPI / wsgidav

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.4

Affected versions

0.*
0.4.0b1
0.4.0b2
0.5.0
1.*
1.0.0
1.1.0
1.2.0
1.3.0
2.*
2.0.0
2.0.1
2.1.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0
2.4.0
2.4.1
3.*
3.0.0a1
3.0.0a2
3.0.0a3
3.0.0a4
3.0.0a5
3.0.0a6
3.0.0a7
3.0.0
3.0.1
3.0.2
3.0.3
3.0.5a2
3.0.5a3
3.1.0
3.1.1
4.*
4.0.0a2
4.0.0
4.0.1
4.0.2
4.1.0
4.2.0
4.3.0
4.3.1
4.3.2
4.3.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/wsgidav/PYSEC-2026-3428.yaml"