Cyber Resilience

CVE-2026-24486

HighPublic PoCUpdated

Published: 27 January 2026

Published
27 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0176 75.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24486 is a high-severity Path Traversal (CWE-22) vulnerability in Fastapiexpert Python-Multipart. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

Python-Multipart is a streaming multipart parser for Python that is affected by a path traversal vulnerability prior to version 0.0.22. The flaw occurs only when the non-default options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True are both enabled, allowing a crafted filename supplied during a multipart upload to write files outside the intended directory.

An unauthenticated remote attacker can exploit the issue over the network without user interaction to place arbitrary files at chosen filesystem paths, resulting in a CVSS 3.1 score of 8.6 that reflects high integrity impact alongside limited confidentiality and availability effects.

The project’s security advisory and release notes direct users to upgrade to 0.0.22, which contains the corrective commit, or to disable UPLOAD_KEEP_FILENAME=True as an immediate workaround.

The associated EPSS score has remained flat at the low value of 0.0102 with no material rise after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a…

more

malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal vulnerability in Python-Multipart enables unauthenticated remote file write to arbitrary locations via public-facing multipart upload endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2026-31817Shared CWE-22

Affected Assets

fastapiexpert
python-multipart
≤ 0.0.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of untrusted filename input in multipart uploads to block path traversal sequences before files are written.

prevent

Requires restricting or disabling the non-default UPLOAD_KEEP_FILENAME=True setting that enables the path traversal vector.

respond

Mandates prompt application of the 0.0.22 patch that corrects the filename handling flaw in Python-Multipart.

References