Skip to main content

django-s3file CVE-2026-42196

CRITICAL
Relative Path Traversal (CWE-23)
2026-05-05 https://github.com/codingjoe/django-s3file GHSA-67qg-7284-2277
9.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 12, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 22:22 NVD
9.9 (CRITICAL)
Source Code Evidence Fetched
May 05, 2026 - 21:01 vuln.today
Analysis Generated
May 05, 2026 - 21:01 vuln.today

DescriptionGitHub Advisory

Impact

S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILES

Depending on how files are handled, this may lead to confidentiality and integrity issues.

Patches

Django-S3File urges all users to update to a patched version >=7.0.2.

AnalysisAI

Path traversal in django-s3file's S3FileMiddleware allows attackers to manipulate HTTP requests and force Django applications to load arbitrary files from unintended S3 locations into request.FILES, bypassing pre-signed upload location restrictions. Affects all versions <=7.0.1. Vendor-confirmed vulnerability with patch released in version 7.0.2. No active exploitation confirmed (not in CISA KEV). CVSS metrics not available, but path traversal combined with file handling operations presents moderate confidentiality and integrity risk depending on application-specific file processing logic.

Technical ContextAI

Django-s3file is a Python middleware library that facilitates direct S3 uploads in Django applications by handling pre-signed S3 URLs and populating request.FILES with uploaded content. The vulnerability resides in S3FileMiddleware's input validation logic, specifically CWE-23 (Relative Path Traversal). The middleware fails to properly sanitize or canonicalize file path parameters in HTTP requests before retrieving files from S3. Attackers can inject relative path sequences (likely '../' traversal patterns) to escape the intended pre-signed upload directory scope and reference arbitrary S3 objects within the bucket or accessible storage. This allows unauthorized file access outside the application's expected upload boundaries, violating the security contract of pre-signed URLs which should restrict uploads to specific object keys.

RemediationAI

Immediately upgrade django-s3file to version 7.0.2 or later using pip install --upgrade django-s3file==7.0.2 or updating requirements.txt and redeploying. Vendor advisory confirms version 7.0.2 contains the fix for path validation in S3FileMiddleware (https://github.com/codingjoe/django-s3file/security/advisories/GHSA-67qg-7284-2277). If immediate upgrade is not feasible, implement compensating controls: (1) add custom middleware before S3FileMiddleware to validate and sanitize file path parameters, rejecting requests containing '../', encoded traversal sequences, or paths resolving outside expected prefixes; (2) restrict S3 bucket IAM policies to enforce least-privilege access scoping uploaded objects to specific prefixes, limiting traversal impact; (3) implement additional application-layer validation on request.FILES to verify file origins match expected S3 keys before processing. Note that workarounds do not eliminate the vulnerability and may interfere with legitimate file upload workflows; upgrading remains the definitive remediation.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-42196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy