Update dependency python-multipart to v0.0.26 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
python-multipart (changelog)	==0.0.20 → ==0.0.26

GitHub Vulnerability Alerts

CVE-2026-24486

Summary

A Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.

Details

When UPLOAD_DIR is set and UPLOAD_KEEP_FILENAME is True, the library constructs the file path using os.path.join(file_dir, fname). Due to the behavior of os.path.join(), if the filename begins with a /, all preceding path components are discarded:

os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious"

This allows an attacker to bypass the intended upload directory and write files to arbitrary paths.

Affected Configuration

Projects are only affected if all of the following are true:

• UPLOAD_DIR is set
• UPLOAD_KEEP_FILENAME is set to True
• The uploaded file exceeds MAX_MEMORY_FILE_SIZE (triggering a flush to disk)

The default configuration is not vulnerable.

Impact

Arbitrary file write to attacker-controlled paths on the filesystem.

Mitigation

Upgrade to version 0.0.22, or avoid using UPLOAD_KEEP_FILENAME=True in project configurations.

Severity

• CVSS Score: 8.6 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CVE-2026-40347

Summary

A denial of service vulnerability exists when parsing crafted multipart/form-data requests with large preamble or epilogue sections.

Details

Two inefficient multipart parsing paths could be abused with attacker-controlled input.

Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.

Impact

An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.

Mitigation

Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

---

Release Notes

Kludex/python-multipart (python-multipart)

v0.0.26

Compare Source

• Skip preamble before the first multipart boundary more efficiently #​262.
• Silently discard epilogue data after the closing multipart boundary #​259.

v0.0.25

Compare Source

• Add MIME content type info to File #​143.
• Handle CTE values case-insensitively #​258.
• Remove custom FormParser classes #​257.
• Add UPLOAD_DELETE_TMP to FormParser config #​254.
• Emit field_end for trailing bare field names on finalize #​230.
• Handle multipart headers case-insensitively #​252.
• Apply Apache-2.0 properly #​247.

v0.0.24

Compare Source

• Validate chunk_size in parse_form() #​244.

v0.0.23

Compare Source

• Remove unused trust_x_headers parameter and X-File-Name fallback #​196.
• Return processed length from QuerystringParser._internal_write #​229.
• Cleanup metadata dunders from __init__.py #​227.

v0.0.22

Compare Source

• Drop directory path from filename in File 9433f4b.

v0.0.21

Compare Source

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #​216.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: uv.lock

Command failed: uv lock --upgrade-package python-multipart
warning: The `tool.uv.dev-dependencies` field (used in `pyproject.toml`) is deprecated and will be removed in a future release; use `dependency-groups.dev` instead
Using CPython 3.14.4 interpreter at: /opt/containerbase/tools/python/3.14.4/bin/python3
  × No solution found when resolving dependencies for split (markers:
  │ python_full_version == '3.9.*'):
  ╰─▶ Because the requested Python version (>=3.9) does not satisfy
      Python>=3.10 and python-multipart==0.0.26 depends on Python>=3.10, we
      can conclude that python-multipart==0.0.26 cannot be used.
      And because your project depends on python-multipart==0.0.26, we can
      conclude that your project's requirements are unsatisfiable.

      hint: While the active Python version is 3.14, the resolution failed for
      other Python versions supported by your project. Consider limiting your
      project's supported Python versions using `requires-python`.

      hint: The `requires-python` value (>=3.9) includes Python versions that
      are not supported by your dependencies (e.g., python-multipart==0.0.26
      only supports >=3.10). Consider using a more restrictive
      `requires-python` value (like >=3.10).