Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
CVE-2026-42196: Django-S3File allows attackers to load files from anywhere
GHSA-67qg-7284-2277
CVE-2026-42196
GHSA-67qg-7284-2277
Summary
An attacker can trick Django-S3File into loading files from unintended locations, potentially exposing sensitive data or corrupting files. To fix this, update Django-S3File to version 7.0.2 or later.
What to do
- Update django-s3file to version 7.0.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | django-s3file |
<= 7.0.1 Fix: upgrade to 7.0.2
|
| PyPI | – | django-s3file |
< 7.0.2 Fix: upgrade to 7.0.2
|
Original title
django-s3file is vulnerable to relative path traversal
Original description
### Impact
`S3FileMiddleware` is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into `request.FILES`
Depending on how files are handled, this may lead to confidentiality and integrity issues.
### Patches
Django-S3File urges all users to update to a patched version >=7.0.2.
`S3FileMiddleware` is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into `request.FILES`
Depending on how files are handled, this may lead to confidentiality and integrity issues.
### Patches
Django-S3File urges all users to update to a patched version >=7.0.2.
ghsa CVSS4.0
9.9
Vulnerability type
CWE-23
CWE-26
CWE-22
Path Traversal
Published: 5 May 2026 · Updated: 28 May 2026 · First seen: 5 May 2026