Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40491

CVE-2026-40491: gdown Path Traversal Vulnerability

CVE-2026-40491 is a path traversal flaw in gdown that allows attackers to write files outside intended directories during archive extraction. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-40491 Overview

CVE-2026-40491 is a Path Traversal vulnerability affecting gdown, a popular Google Drive public file and folder downloader library. Versions prior to 5.2.2 are vulnerable to a path traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members, allowing files to be written outside the intended destination directory. This can potentially lead to arbitrary file overwrite and Remote Code Execution (RCE).

Critical Impact

Attackers can craft malicious archives that, when extracted using vulnerable gdown versions, write files to arbitrary locations on the file system, potentially overwriting critical system files or placing malicious code in executable paths.

Affected Products

  • gdown versions prior to 5.2.2
  • Python applications utilizing vulnerable gdown versions for Google Drive file extraction
  • Systems processing user-supplied or untrusted archives through gdown

Discovery Timeline

  • 2026-04-18 - CVE CVE-2026-40491 published to NVD
  • 2026-04-20 - Last updated in NVD database

Technical Details for CVE-2026-40491

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw exists in gdown's archive extraction functionality, specifically in how filenames from ZIP and TAR archive members are processed before extraction.

When a user downloads an archive from Google Drive and extracts it using gdown, the library processes each filename within the archive. In vulnerable versions, these filenames are not properly sanitized to prevent directory traversal sequences such as ../ or absolute paths. An attacker can craft a malicious archive containing files with names like ../../../etc/cron.d/malicious or ../../.bashrc, which would be extracted outside the intended destination directory.

The vulnerability requires user interaction—specifically, the victim must download and extract a malicious archive using the vulnerable gdown library. However, given gdown's widespread use in data science workflows and automated pipelines, the impact can be significant.

Root Cause

The root cause is the absence of filename sanitization in the extractall functionality. Prior to version 5.2.2, the library directly used filenames from archive members without validating that the resulting file path remains within the intended extraction directory. Additionally, the _get_filename_from_response function did not properly sanitize filenames obtained from HTTP Content-Disposition headers, allowing special characters, null bytes, and path separators to be processed.

Attack Vector

The attack requires network access and user interaction. An attacker would:

  1. Create a malicious archive (ZIP or TAR) containing files with path traversal sequences in their names
  2. Host the archive on Google Drive or distribute it through other means
  3. Trick a victim into downloading and extracting the archive using a vulnerable version of gdown
  4. Upon extraction, files are written to arbitrary locations based on the traversal paths in the archive

The following patch demonstrates how the vulnerability was fixed by introducing proper filename sanitization:

python
# Security patch - _sanitize_filename function added to gdown/download.py
def _sanitize_filename(filename):
    filename = filename.replace("\\x00", "")
    filename = filename.replace("/", "_").replace("\\", "_").strip()
    if filename in ("", ".", ".."):
        return "_"
    return filename


def _get_filename_from_response(response):
    content_disposition = urllib.parse.unquote(response.headers["Content-Disposition"])

    m = re.search(r"filename\*=UTF-8''(.*)", content_disposition)
    if m:
        return _sanitize_filename(m.groups()[0])

    m = re.search('attachment; filename="(.*?)"', content_disposition)
    if m:
        return _sanitize_filename(m.groups()[0])

    return None

Source: GitHub Commit

Detection Methods for CVE-2026-40491

Indicators of Compromise

  • Files appearing in unexpected directories after archive extraction operations
  • Presence of files with path traversal patterns in extraction logs or audit trails
  • Modified system configuration files, cron jobs, or shell profiles following gdown operations
  • Unexpected executable files in user home directories or system paths

Detection Strategies

  • Monitor file system operations during archive extraction for writes outside expected directories
  • Implement application-level logging that captures filenames being extracted from archives
  • Deploy endpoint detection rules that alert on file creation in sensitive directories following Python process execution
  • Scan installed Python packages for gdown versions prior to 5.2.2 using dependency auditing tools

Monitoring Recommendations

  • Enable file integrity monitoring on critical system directories and user profile configurations
  • Implement network monitoring for downloads of suspicious archive files from cloud storage services
  • Configure process monitoring to track extraction operations involving the gdown library
  • Review pip/conda dependency lists across development and production environments

How to Mitigate CVE-2026-40491

Immediate Actions Required

  • Upgrade gdown to version 5.2.2 or later immediately using pip install --upgrade gdown
  • Audit systems for any signs of exploitation, particularly unexpected file modifications
  • Review any archives recently processed through vulnerable gdown versions
  • Implement application sandboxing to limit file system access during archive extraction operations

Patch Information

The vulnerability has been fixed in gdown version 5.2.2. The patch introduces a _sanitize_filename function that removes null bytes, replaces path separators (/ and \) with underscores, strips whitespace, and handles edge cases like . and .. filenames. This sanitization is applied to filenames obtained from both archive members and HTTP Content-Disposition headers.

Users should upgrade using:

  • pip: pip install gdown>=5.2.2
  • conda: Update to the latest version available in your channel

For more details, see the GitHub Security Advisory and Release Notes for v5.2.2.

Workarounds

  • Avoid processing untrusted archives through gdown until the upgrade is applied
  • Implement wrapper scripts that validate archive contents before extraction
  • Use containerization or sandboxing to isolate gdown extraction operations from sensitive file system areas
  • Manually extract and inspect archive contents using trusted tools before processing
bash
# Upgrade gdown to patched version
pip install --upgrade gdown>=5.2.2

# Verify installed version
pip show gdown | grep Version

# Audit for vulnerable versions across environments
pip list --outdated | grep gdown

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.