CVE-2026-40347: Python-Multipart affected by Denial of Service via large multipart preamble or epilogue data

Published Apr 15, 2026
·
Updated

Summary

A denial of service vulnerability exists when parsing crafted multipart/form-data requests with large preamble or epilogue sections.

Details

Two inefficient multipart parsing paths could be abused with attacker-controlled input.

Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.

Impact

An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.

Mitigation

Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Other sources

Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted multipart/form-data requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

MITRE

Affected Software

2 affected componentsFixes available
pip/python-multipart<0.0.26
0.0.26
Fastapiexpert Python-multipart Python<0.0.26

Event History

Apr 15, 2026
Advisory Published
via GitHub·07:45 PM
Data Sourced
via GitHub·07:45 PM
DescriptionSeverityWeaknessAffected Software
Apr 17, 2026
CVE Published
via MITRE·11:56 PM
Data Sourced
via MITRE·11:56 PM
DescriptionSeverityWeakness
Apr 18, 2026
Data Sourced
via NVD·12:16 AM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-40347?

The CVE-2026-40347 vulnerability is classified as a denial of service (DoS) issue.

2

How can I fix CVE-2026-40347?

To fix CVE-2026-40347, update the python-multipart package to version 0.0.26 or later.

3

What causes the CVE-2026-40347 vulnerability?

CVE-2026-40347 is caused by inefficient multipart parsing paths that can be exploited with crafted multipart/form-data requests.

4

What types of attacks can be executed using CVE-2026-40347?

CVE-2026-40347 allows attackers to execute denial of service attacks by sending specially crafted multipart/form-data requests.

5

Is CVE-2026-40347 related to any specific software?

Yes, CVE-2026-40347 specifically affects the python-multipart package versions prior to 0.0.26.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203