CVE-2026-42561 HIGH

CVE-2026-42561: Python-Multipart: Denial of Service via unbounded multipart part headers

Vendor Kludex

Product python-multipart

Weakness CWE-770 · Uncontrolled resource consumption

Published May 13, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.

Key dates

Disclosure timeline

May 13, 2026 CVE published

May 14, 2026 Record updated