CVE-2026-27641 Overview
Flask-Reuploaded is a popular Flask extension that provides file upload functionality for Python web applications. A critical path traversal and extension bypass vulnerability exists in versions prior to 1.5.0 that allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). This vulnerability enables attackers to write files to arbitrary locations on the filesystem and bypass extension restrictions, creating a severe security risk for any Flask application using the affected library.
Critical Impact
Remote attackers can exploit this vulnerability to write arbitrary files to the server filesystem and execute malicious code through SSTI, potentially leading to complete system compromise.
Affected Products
- Flask-Reuploaded versions prior to 1.5.0
- Flask applications using vulnerable Flask-Reuploaded versions with user-controlled name parameter input
Discovery Timeline
- 2026-02-25 - CVE-2026-27641 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27641
Vulnerability Analysis
This vulnerability combines two dangerous attack techniques: path traversal and extension bypass. When user-controlled input is passed to the name parameter in Flask-Reuploaded's file upload handling, the application fails to properly sanitize the input before processing. This allows attackers to craft malicious filenames containing directory traversal sequences (such as ../) to escape the intended upload directory and write files to arbitrary locations on the filesystem.
The extension bypass component of the vulnerability allows attackers to circumvent file type restrictions that would normally prevent uploading dangerous file types. By manipulating the name parameter, attackers can override the original filename's extension, enabling them to upload executable templates or scripts disguised with allowed extensions.
When combined with Flask's Jinja2 templating engine, successful exploitation can lead to Server-Side Template Injection (SSTI), where malicious template code is executed on the server, resulting in remote code execution.
Root Cause
The root cause stems from insufficient input validation and sanitization of the name parameter in the file upload handling code. The vulnerability manifests due to:
- Missing secure_filename() application - The name parameter was not sanitized using Werkzeug's secure_filename() function, allowing path traversal sequences to pass through
- Inadequate extension re-validation - After a name override, the file extension was not re-validated against allowed extensions
- No path containment checks - The code did not verify that the final file path remained within the designated upload directory
- Unsanitized folder extraction - When the name parameter contained path separators, the extracted folder component was not sanitized
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Sending a crafted HTTP file upload request to a vulnerable Flask application
- Including directory traversal sequences in the name parameter (e.g., ../../../templates/malicious.html)
- Bypassing extension restrictions by manipulating the filename after the folder split operation
- Writing a malicious Jinja2 template file to the application's template directory
- Triggering the template to execute arbitrary Python code on the server
The security patch addresses these issues by applying proper sanitization:
if not isinstance(storage, FileStorage):
raise TypeError("storage must be a werkzeug.FileStorage")
+ # Track if name ends with dot before any processing
+ name_ends_with_dot = name is not None and name.rstrip().endswith('.')
+
if folder is None and name is not None and "/" in name:
folder, name = os.path.split(name)
+ # Check again after split
+ name_ends_with_dot = name.rstrip().endswith('.')
+ # Sanitize folder and name extracted from name parameter
+ if folder:
+ folder = secure_filename(folder)
+ if name:
+ name = secure_filename(name)
if storage.filename is None:
raise ValueError("Filename must not be empty!")
basename = self.get_basename(storage.filename)
Source: GitHub Commit
Detection Methods for CVE-2026-27641
Indicators of Compromise
- Unexpected files appearing outside the designated upload directory
- Template files with suspicious content in Flask template directories
- Web server logs showing file upload requests with path traversal patterns (../, ..%2f, etc.)
- Unusual server-side template execution errors or unexpected template rendering behavior
Detection Strategies
- Monitor file system activity for writes outside configured upload directories
- Implement web application firewall (WAF) rules to detect path traversal sequences in HTTP requests
- Review Flask-Reuploaded version in requirements.txt or pyproject.toml for versions below 1.5.0
- Audit application code for instances where user input is passed to the name parameter
Monitoring Recommendations
- Enable detailed logging for file upload operations including full request parameters
- Set up alerts for file creation events in sensitive directories such as /templates/ or application root
- Monitor for anomalous HTTP POST requests to file upload endpoints with encoded path separators
- Implement integrity monitoring on template directories to detect unauthorized modifications
How to Mitigate CVE-2026-27641
Immediate Actions Required
- Upgrade Flask-Reuploaded to version 1.5.0 or later immediately
- Audit existing uploaded files for any suspicious content or unauthorized file locations
- Review application code to identify any instances where user input is passed to the name parameter
- Implement temporary input validation if immediate upgrade is not possible
Patch Information
Flask-Reuploaded version 1.5.0 contains the complete security fix for this vulnerability. The patch applies secure_filename() to the name parameter, re-validates file extensions after name override, adds path containment checks, and sanitizes folder components extracted from the name parameter.
Upgrade using pip:
pip install --upgrade flask-reuploaded>=1.5.0
For additional details, refer to the GitHub Security Advisory GHSA-65mp-fq8v-56jr and Pull Request #180.
Workarounds
- Do not pass user-controlled input to the name parameter under any circumstances
- Use auto-generated filenames only by allowing Flask-Reuploaded to derive filenames from the uploaded file
- Implement strict input validation if the name parameter must be used, rejecting any input containing path separators or traversal sequences
- Deploy the application in a containerized environment with restricted filesystem access as defense-in-depth
# Configuration example
# Verify your Flask-Reuploaded version
pip show flask-reuploaded | grep Version
# Upgrade to patched version
pip install flask-reuploaded>=1.5.0
# Verify upgrade was successful
pip show flask-reuploaded | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
