Cyber Resilience

CVE-2026-40491

MediumPublic PoC

Published: 18 April 2026

Published
18 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0010 28.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40491 is a medium-severity Path Traversal (CWE-22) vulnerability in Wkentaro Gdown. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40491 is a path traversal vulnerability (CWE-22) in the gdown library, a Python tool for downloading public files and folders from Google Drive. Versions prior to 5.2.2 are affected due to inadequate sanitization and validation of filenames in ZIP or TAR archives processed by the extractall functionality. This flaw enables archive members to write files outside the intended destination directory, resulting in arbitrary file overwrites and potential remote code execution (RCE). The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though user interaction is necessary. A threat actor crafts a malicious ZIP or TAR archive hosted on Google Drive or elsewhere, tricking a user into downloading and extracting it via a vulnerable gdown version. Successful exploitation allows overwriting critical files outside the target directory, such as configuration files or executables, potentially leading to RCE depending on the overwritten files and system context.

Mitigation is available in gdown version 5.2.2, which addresses the issue through a specific commit. Security practitioners should upgrade to this version immediately. Relevant advisories and resources include the GitHub security advisory (GHSA-76hw-p97h-883f), the release notes for v5.2.2, and the fixing commit (af569fc6ed300b7974dee66dc51e9f01b57b4dff).

EU & UK References

Vulnerability details

gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the…

more

filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Path traversal in gdown archive extraction enables arbitrary file overwrite leading to RCE; directly facilitates client-side exploitation via malicious archive (T1203) and requires user execution of malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28373Shared CWE-22
CVE-2026-5656Shared CWE-22
CVE-2026-40157Shared CWE-22
CVE-2025-10284Shared CWE-22
CVE-2025-0332Shared CWE-22
CVE-2026-30853Shared CWE-22
CVE-2026-40027Shared CWE-22
CVE-2025-2449Shared CWE-22
CVE-2026-39307Shared CWE-22
CVE-2026-22871Shared CWE-22

Affected Assets

wkentaro
gdown
≤ 5.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the path traversal flaw in gdown by upgrading to version 5.2.2, preventing exploitation via malicious archives.

prevent

Requires validation and sanitization of archive filenames to block path traversal attacks that write files outside the intended directory.

preventdetect

Deploys malicious code protection to scan and block harmful ZIP/TAR archives downloaded via gdown before extraction.

References