CVE-2026-8328: FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-8328?
CVE-2026-8328 is considered a high severity vulnerability due to its potential for exploitation through SSRF attacks.
How do I fix CVE-2026-8328?
To fix CVE-2026-8328, update to the latest version of Python CPython ftplib where the vulnerability has been addressed.
Which versions of Python CPython ftplib are affected by CVE-2026-8328?
CVE-2026-8328 affects specific versions of Python CPython ftplib prior to the security patches that address this issue.
What type of attack does CVE-2026-8328 facilitate?
CVE-2026-8328 facilitates Server-Side Request Forgery (SSRF) attacks by trusting server-supplied PASV host addresses.
Is CVE-2026-8328 related to previous vulnerabilities?
Yes, CVE-2026-8328 is related to CVE-2021-4189, which involved similar trust issues with PASV addresses.