CVE-2026-42196: django-s3file is vulnerable to relative path traversal

May 5, 2026

S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILES

Depending on how files are handled, this may lead to confidentiality and integrity issues.

References

github.com/advisories/GHSA-67qg-7284-2277
github.com/codingjoe/django-s3file
github.com/codingjoe/django-s3file/security/advisories/GHSA-67qg-7284-2277
nvd.nist.gov/vuln/detail/CVE-2026-42196

Code Behaviors & Features

Detect and mitigate CVE-2026-42196 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →