CVE-2026-38360 Overview
CVE-2026-38360 is a directory traversal vulnerability [CWE-22] in the fohrloop dash-uploader Python package, affecting versions 0.1.0 through 0.7.0a2. The flaw resides in the dash_uploader/httprequesthandler.py module, specifically within the BaseHttpRequestHandler.get_temp_root() and BaseHttpRequestHandler._post() components. A remote, unauthenticated attacker can manipulate file path parameters during upload requests to write files outside the intended directory. Successful exploitation enables arbitrary code execution on the server hosting the Dash application. The dash-uploader package is distributed via PyPI and is commonly used to add large-file upload functionality to Plotly Dash web applications.
Critical Impact
Remote attackers can write arbitrary files outside the upload directory and achieve code execution without authentication or user interaction.
Affected Products
- fohrloop/dash-uploader versions 0.1.0 through 0.7.0a2
- Plotly Dash applications integrating the vulnerable dash-uploader package via PyPI
- Python web services exposing the BaseHttpRequestHandler upload endpoint
Discovery Timeline
- 2026-05-08 - CVE-2026-38360 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-38360
Vulnerability Analysis
The vulnerability stems from improper validation of user-supplied filename and path values processed by the upload handler. The dash-uploader package implements chunked file uploads through a custom HTTP request handler, where the destination path is constructed by concatenating an attacker-influenced filename with a server-side temporary root directory. Because the input is not normalized or constrained to the upload root, attackers can embed directory traversal sequences such as ../ to escape the intended directory.
When the handler writes uploaded content using the attacker-controlled path, it can overwrite arbitrary files on the host. Targets include Python source files imported by the running Dash application, configuration files, scheduled task definitions, or web server-served assets. Overwriting an imported .py file allows the attacker to stage code that the application loads on next import or restart, yielding remote code execution. The EPSS score of 17.5% (95th percentile) reflects elevated likelihood of exploitation activity.
Root Cause
The root cause is missing path canonicalization and traversal sequence filtering inside BaseHttpRequestHandler.get_temp_root() and BaseHttpRequestHandler._post(). The handler trusts the client-supplied filename and joins it directly with the upload root without verifying that the resolved absolute path remains within the permitted upload directory.
Attack Vector
The attack is reachable over the network with low complexity and no authentication required. An attacker sends a crafted multipart POST request to the Dash upload endpoint with a filename containing relative path segments such as ..\..\..\app.py. The handler resolves the path outside the upload root and writes attacker-controlled bytes to the target file. The vulnerability mechanism is documented in the GitHub Issue Tracker and demonstrated in the GitHub PoC Repository. No verified exploit code is reproduced here.
Detection Methods for CVE-2026-38360
Indicators of Compromise
- HTTP POST requests to dash-uploader endpoints containing ..\ or ../ sequences in the filename or flowFilename parameter.
- Unexpected file writes to Python source directories, web roots, or system configuration paths originating from the Dash application process.
- New or modified .py files in the application directory timestamped during upload activity.
- Outbound network connections from the Python web service process immediately following an upload event.
Detection Strategies
- Inspect web server and reverse proxy logs for upload requests where filename fields contain encoded or raw traversal sequences (%2e%2e%2f, ..%2f, ../).
- Apply file integrity monitoring on directories containing the Dash application source and its Python dependencies.
- Correlate process telemetry showing the Python interpreter spawning unexpected shells, cmd.exe, or /bin/sh child processes after upload traffic.
Monitoring Recommendations
- Alert on writes by the Dash application process to paths outside its designated upload directory.
- Monitor PyPI dependency manifests (requirements.txt, pyproject.toml) for pinned versions of dash-uploader in the vulnerable range.
- Capture full HTTP request bodies for upload endpoints to enable retrospective hunting for traversal payloads.
How to Mitigate CVE-2026-38360
Immediate Actions Required
- Inventory all internal and customer-facing Dash applications and identify any using dash-uploader versions 0.1.0 through 0.7.0a2.
- Restrict network exposure of affected Dash applications by placing them behind authenticated reverse proxies or VPN access until remediated.
- Deploy a Web Application Firewall (WAF) rule that blocks upload requests containing ../, ..\, or URL-encoded traversal sequences in filename parameters.
- Review filesystem and application logs for prior exploitation attempts using the indicators listed above.
Patch Information
At the time of NVD publication on 2026-05-08, no fixed release is referenced in the CVE record. Track the GitHub Project Repository and the PyPI Package Repository for a patched release beyond 0.7.0a2. Review the upstream discussion in the GitHub Issue Tracker for remediation status.
Workarounds
- Replace dash-uploader with an alternative upload component that enforces path canonicalization, or fork the project and add server-side validation that rejects filenames containing path separators.
- Run the Dash application as a low-privilege user inside a container with a read-only filesystem, exposing only the upload directory as writable.
- Enforce filename sanitization at a reverse proxy layer using werkzeug.utils.secure_filename semantics or equivalent allow-list validation before requests reach the handler.
# Configuration example: WAF/nginx rule to block traversal in upload filenames
location /upload {
if ($request_body ~* "(\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)") {
return 403;
}
proxy_pass http://dash_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
