CVE-2026-28356
Published: 12 March 2026
Summary
CVE-2026-28356 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the ReDoS vulnerability by identifying and patching vulnerable versions of the multipart library to prevent exploitation.
Protects against ReDoS-induced denial-of-service by implementing mechanisms to limit excessive CPU consumption from maliciously crafted HTTP or multipart headers.
Validates and sanitizes multipart/form-data headers prior to parsing to block inputs designed to trigger exponential backtracking in the regex engine.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS in multipart parser directly enables application resource exhaustion via crafted input, matching T1499.004 Application or System Exploitation.
NVD Description
multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart…
more
segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.
Deeper analysisAI
CVE-2026-28356 is a regular expression denial-of-service (ReDoS) vulnerability in the 'multipart' Python library, a fast parser for multipart/form-data. The issue affects the parse_options_header() function in multipart.py, which uses a regular expression with an ambiguous alternation that triggers exponential backtracking when processing maliciously crafted HTTP or multipart segment headers. It impacts versions prior to 1.2.2, 1.3.1, and 1.4.0-dev, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-1333 (Inefficient Regular Expression Complexity).
An unauthenticated attacker over the network can exploit this vulnerability by sending specially crafted HTTP requests or multipart/form-data streams containing headers designed to maximize backtracking in the regex engine. Successful exploitation causes excessive CPU consumption, leading to denial-of-service conditions in web applications that rely on the library for parsing such inputs, potentially rendering services unresponsive without requiring user interaction or privileges.
The GitHub security advisory at https://github.com/defnull/multipart/security/advisories/GHSA-p2m9-wcp5-6qw3 details the fix, which resolves the ReDoS issue in versions 1.2.2, 1.3.1, and 1.4.0-dev. Security practitioners should update affected applications to these patched releases and review dependencies using the 'multipart' library for vulnerable versions.
Details
- CWE(s)