CVE-2026-24486
Published: 27 January 2026
Summary
CVE-2026-24486 is a high-severity Path Traversal (CWE-22) vulnerability in Fastapiexpert Python-Multipart. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
Python-Multipart is a streaming multipart parser for Python that is affected by a path traversal vulnerability prior to version 0.0.22. The flaw occurs only when the non-default options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True are both enabled, allowing a crafted filename supplied during a multipart upload to write files outside the intended directory.
An unauthenticated remote attacker can exploit the issue over the network without user interaction to place arbitrary files at chosen filesystem paths, resulting in a CVSS 3.1 score of 8.6 that reflects high integrity impact alongside limited confidentiality and availability effects.
The project’s security advisory and release notes direct users to upgrade to 0.0.22, which contains the corrective commit, or to disable UPLOAD_KEEP_FILENAME=True as an immediate workaround.
The associated EPSS score has remained flat at the low value of 0.0102 with no material rise after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4754
Vulnerability details
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a…
more
malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in Python-Multipart enables unauthenticated remote file write to arbitrary locations via public-facing multipart upload endpoint.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of untrusted filename input in multipart uploads to block path traversal sequences before files are written.
Requires restricting or disabling the non-default UPLOAD_KEEP_FILENAME=True setting that enables the path traversal vector.
Mandates prompt application of the 0.0.22 patch that corrects the filename handling flaw in Python-Multipart.