django-s3file Vulnerable to Relative Path Traversal

The django-s3file package, specifically versions 7.0.1 and earlier, contains a critical vulnerability related to relative path traversal in the S3FileMiddleware component. This flaw allows a malicious actor to craft a specific HTTP request to circumvent the intended pre-signed upload locations within an application using the django-s3file package. By manipulating the request path, the attacker can trick the Django application into loading files from arbitrary locations into request.FILES. This issue was reported on May 5, 2026, and it poses a significant risk to confidentiality and integrity because of the potential for unauthorized file access and modification. Defenders should prioritize patching to version 7.0.2 or later to mitigate this risk.

Attack Chain

1. An attacker identifies a Django application using a vulnerable version of django-s3file (<= 7.0.1).
2. The attacker analyzes the application’s file upload functionality that relies on pre-signed S3 URLs generated by S3FileMiddleware.
3. The attacker crafts a malicious HTTP request containing a relative path (e.g., “../../”, “../”) within the file upload path or filename.
4. This manipulated request is sent to the Django application during the file upload process.
5. The S3FileMiddleware improperly processes the relative path, allowing the request to escape the intended pre-signed upload location.
6. The Django application retrieves a file from an unintended location in the S3 bucket based on the attacker’s manipulated path.
7. The application loads the content of this file into request.FILES, making it accessible to the application logic.
8. Depending on subsequent handling of request.FILES, the attacker can potentially achieve unauthorized file access, modification, or even remote code execution if the uploaded file is processed unsafely.

Impact

Successful exploitation of this vulnerability allows attackers to bypass intended security controls on file uploads. The primary impact is unauthorized access to files within the S3 bucket associated with the Django application. Depending on the application’s functionality and file handling procedures, an attacker could potentially modify existing files, upload malicious files, or even gain remote code execution by uploading and processing malicious files. Given the severity level of “critical”, organizations using affected versions should prioritize patching to prevent potential data breaches or system compromise.

Recommendation

• Upgrade the django-s3file package to version 7.0.2 or later to remediate the path traversal vulnerability described in CVE-2026-42196.
• Deploy the Sigma rule “Detect Django S3File Path Traversal Attempt” to monitor for suspicious HTTP requests containing relative paths in file upload URLs.
• Implement robust input validation and sanitization measures on all file uploads to prevent path traversal attacks, regardless of the middleware in use.