CVE-2026-27199: Werkzeug safe_join() allows Windows special device names

February 19, 2026 (updated February 23, 2026)

Werkzeug’s safe_join function allows Windows device names as filenames if when preceded by other path segments.

This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL.

send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-27199 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →