CVE-2026-40491 Overview
CVE-2026-40491 is a Path Traversal vulnerability affecting gdown, a popular Google Drive public file and folder downloader library. Versions prior to 5.2.2 are vulnerable to a path traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members, allowing files to be written outside the intended destination directory. This can potentially lead to arbitrary file overwrite and Remote Code Execution (RCE).
Critical Impact
Attackers can craft malicious archives that, when extracted using vulnerable gdown versions, write files to arbitrary locations on the file system, potentially overwriting critical system files or placing malicious code in executable paths.
Affected Products
- gdown versions prior to 5.2.2
- Python applications utilizing vulnerable gdown versions for Google Drive file extraction
- Systems processing user-supplied or untrusted archives through gdown
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40491 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40491
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw exists in gdown's archive extraction functionality, specifically in how filenames from ZIP and TAR archive members are processed before extraction.
When a user downloads an archive from Google Drive and extracts it using gdown, the library processes each filename within the archive. In vulnerable versions, these filenames are not properly sanitized to prevent directory traversal sequences such as ../ or absolute paths. An attacker can craft a malicious archive containing files with names like ../../../etc/cron.d/malicious or ../../.bashrc, which would be extracted outside the intended destination directory.
The vulnerability requires user interaction—specifically, the victim must download and extract a malicious archive using the vulnerable gdown library. However, given gdown's widespread use in data science workflows and automated pipelines, the impact can be significant.
Root Cause
The root cause is the absence of filename sanitization in the extractall functionality. Prior to version 5.2.2, the library directly used filenames from archive members without validating that the resulting file path remains within the intended extraction directory. Additionally, the _get_filename_from_response function did not properly sanitize filenames obtained from HTTP Content-Disposition headers, allowing special characters, null bytes, and path separators to be processed.
Attack Vector
The attack requires network access and user interaction. An attacker would:
- Create a malicious archive (ZIP or TAR) containing files with path traversal sequences in their names
- Host the archive on Google Drive or distribute it through other means
- Trick a victim into downloading and extracting the archive using a vulnerable version of gdown
- Upon extraction, files are written to arbitrary locations based on the traversal paths in the archive
The following patch demonstrates how the vulnerability was fixed by introducing proper filename sanitization:
# Security patch - _sanitize_filename function added to gdown/download.py
def _sanitize_filename(filename):
filename = filename.replace("\\x00", "")
filename = filename.replace("/", "_").replace("\\", "_").strip()
if filename in ("", ".", ".."):
return "_"
return filename
def _get_filename_from_response(response):
content_disposition = urllib.parse.unquote(response.headers["Content-Disposition"])
m = re.search(r"filename\*=UTF-8''(.*)", content_disposition)
if m:
return _sanitize_filename(m.groups()[0])
m = re.search('attachment; filename="(.*?)"', content_disposition)
if m:
return _sanitize_filename(m.groups()[0])
return None
Source: GitHub Commit
Detection Methods for CVE-2026-40491
Indicators of Compromise
- Files appearing in unexpected directories after archive extraction operations
- Presence of files with path traversal patterns in extraction logs or audit trails
- Modified system configuration files, cron jobs, or shell profiles following gdown operations
- Unexpected executable files in user home directories or system paths
Detection Strategies
- Monitor file system operations during archive extraction for writes outside expected directories
- Implement application-level logging that captures filenames being extracted from archives
- Deploy endpoint detection rules that alert on file creation in sensitive directories following Python process execution
- Scan installed Python packages for gdown versions prior to 5.2.2 using dependency auditing tools
Monitoring Recommendations
- Enable file integrity monitoring on critical system directories and user profile configurations
- Implement network monitoring for downloads of suspicious archive files from cloud storage services
- Configure process monitoring to track extraction operations involving the gdown library
- Review pip/conda dependency lists across development and production environments
How to Mitigate CVE-2026-40491
Immediate Actions Required
- Upgrade gdown to version 5.2.2 or later immediately using pip install --upgrade gdown
- Audit systems for any signs of exploitation, particularly unexpected file modifications
- Review any archives recently processed through vulnerable gdown versions
- Implement application sandboxing to limit file system access during archive extraction operations
Patch Information
The vulnerability has been fixed in gdown version 5.2.2. The patch introduces a _sanitize_filename function that removes null bytes, replaces path separators (/ and \) with underscores, strips whitespace, and handles edge cases like . and .. filenames. This sanitization is applied to filenames obtained from both archive members and HTTP Content-Disposition headers.
Users should upgrade using:
- pip: pip install gdown>=5.2.2
- conda: Update to the latest version available in your channel
For more details, see the GitHub Security Advisory and Release Notes for v5.2.2.
Workarounds
- Avoid processing untrusted archives through gdown until the upgrade is applied
- Implement wrapper scripts that validate archive contents before extraction
- Use containerization or sandboxing to isolate gdown extraction operations from sensitive file system areas
- Manually extract and inspect archive contents using trusted tools before processing
# Upgrade gdown to patched version
pip install --upgrade gdown>=5.2.2
# Verify installed version
pip show gdown | grep Version
# Audit for vulnerable versions across environments
pip list --outdated | grep gdown
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
