CVE-2026-40491
Published: 18 April 2026
Summary
CVE-2026-40491 is a medium-severity Path Traversal (CWE-22) vulnerability in Wkentaro Gdown. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the path traversal flaw in gdown by upgrading to version 5.2.2, preventing exploitation via malicious archives.
Requires validation and sanitization of archive filenames to block path traversal attacks that write files outside the intended directory.
Deploys malicious code protection to scan and block harmful ZIP/TAR archives downloaded via gdown before extraction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in gdown archive extraction enables arbitrary file overwrite leading to RCE; directly facilitates client-side exploitation via malicious archive (T1203) and requires user execution of malicious file (T1204.002).
NVD Description
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the…
more
filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.
Deeper analysisAI
CVE-2026-40491 is a path traversal vulnerability (CWE-22) in the gdown library, a Python tool for downloading public files and folders from Google Drive. Versions prior to 5.2.2 are affected due to inadequate sanitization and validation of filenames in ZIP or TAR archives processed by the extractall functionality. This flaw enables archive members to write files outside the intended destination directory, resulting in arbitrary file overwrites and potential remote code execution (RCE). The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though user interaction is necessary. A threat actor crafts a malicious ZIP or TAR archive hosted on Google Drive or elsewhere, tricking a user into downloading and extracting it via a vulnerable gdown version. Successful exploitation allows overwriting critical files outside the target directory, such as configuration files or executables, potentially leading to RCE depending on the overwritten files and system context.
Mitigation is available in gdown version 5.2.2, which addresses the issue through a specific commit. Security practitioners should upgrade to this version immediately. Relevant advisories and resources include the GitHub security advisory (GHSA-76hw-p97h-883f), the release notes for v5.2.2, and the fixing commit (af569fc6ed300b7974dee66dc51e9f01b57b4dff).
Details
- CWE(s)