Flask Path Traversal (CVE-2026-27641)

Overview

A critical security vulnerability has been identified in Flask-Reuploaded, a popular extension for handling file uploads in Flask web applications. This flaw could allow an attacker to completely compromise an affected server.

Vulnerability Explanation

In simple terms, this vulnerability is a combination of two issues in the file upload process. First, it allows an attacker to bypass security checks and upload files with dangerous extensions. Second, it enables “path traversal,” where an attacker can write the uploaded file to any location on the server’s filesystem, not just the intended upload directory. By combining these flaws, an attacker can upload a malicious web template file to a critical location and then trigger it, leading to full server control through Server-Side Template Injection (SSTI).

Potential Impact

The impact of this vulnerability is severe. A successful attack could result in:

• Arbitrary File Write: An attacker can overwrite or create files anywhere the web server has write permissions.
• Remote Code Execution (RCE): The attacker can run any code or command on the underlying server.
• Complete System Compromise: This can lead to data theft, service disruption, or use of the server as a foothold for further attacks within your network.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Solution – Update: The issue is fully patched in Flask-Reuploaded version 1.5.0. Upgrade your application’s dependencies to this version or higher as soon as possible.

Immediate Workarounds: If an immediate update is not possible, apply these strict configuration changes:

1. Do Not Use User-Provided Filenames: Avoid passing any user-controlled input to the name parameter of the upload function. Use only auto-generated filenames (like UUIDs).
2. Implement Strict Validation: If you absolutely must use a custom name parameter, you must enforce rigorous validation. This includes stripping directory paths (../) and allowing only a strict, pre-approved set of safe file extensions.
3. Restrict Upload Directory Permissions: Ensure the upload directory is configured with the minimum necessary filesystem permissions and, if possible, is located outside of the web root.

All users of Flask-Reuploaded should prioritize upgrading to the patched version to eliminate this critical risk.