Which versions of django-s3file are affected by CVE-2026-42196?

django-s3file versions 7.0.1 and earlier contain a path traversal vulnerability in S3FileMiddleware that allows attackers to bypass upload location restrictions and force applications to load…. A patch is available.

django-s3file CVE-2026-42196

Q: What is the CVSS score of CVE-2026-42196?

CVE-2026-42196 has a CVSS 4.0 base score of 9.9 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

Q: How to fix or mitigate CVE-2026-42196?

Within 24 hours: Identify all Django applications using django-s3file and verify their current version via pip show django-s3file or requirements.txt audit. Within 7 days: Upgrade all affected instances to django-s3file version 7.0.2 or later, test in staging environment, and deploy to production with validation that S3 upload location restrictions are enforced. Within 30 days: Review S3 bucket policies and application file processing logic to confirm no malicious files were previously loaded, and implement input validation on file paths independent of middleware.

CRITICAL

Relative Path Traversal (CWE-23)

2026-05-05 https://github.com/codingjoe/django-s3file

GHSA-67qg-7284-2277

Python Path Traversal

9.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

May 12, 2026 - 22:22 vuln.today

cvss_changed

CVSS changed

May 12, 2026 - 22:22 NVD

9.9 (CRITICAL)

Source Code Evidence Fetched

May 05, 2026 - 21:01 vuln.today

Analysis Generated

May 05, 2026 - 21:01 vuln.today

DescriptionNVD

Impact

S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILES

Depending on how files are handled, this may lead to confidentiality and integrity issues.

Patches

Django-S3File urges all users to update to a patched version >=7.0.2.

AnalysisAI

Path traversal in django-s3file's S3FileMiddleware allows attackers to manipulate HTTP requests and force Django applications to load arbitrary files from unintended S3 locations into request.FILES, bypassing pre-signed upload location restrictions. Affects all versions <=7.0.1. …

RemediationAI

Within 24 hours: Identify all Django applications using django-s3file and verify their current version via pip show django-s3file or requirements.txt audit. Within 7 days: Upgrade all affected instances to django-s3file version 7.0.2 or later, test in staging environment, and deploy to production with validation that S3 upload location restrictions are enforced. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42196 vulnerability details – vuln.today

Back

django-s3file CVE-2026-42196

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

django-s3file CVE-2026-42196

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code