CVE-2026-42196 — django-s3file is vulnerable to relative path traversal

Description

### Impact `S3FileMiddleware` is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into `request.FILES` Depending on how files are handled, this may lead to confidentiality and integrity issues. ### Patches Django-S3File urges all users to update to a patched version >=7.0.2.

How to fix CVE-2026-42196

To remediate CVE-2026-42196, upgrade the affected package to a fixed version below.

—upgrade to 7.0.2 or later

Is CVE-2026-42196 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 7.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42196
PATCHgithub.com/codingjoe/django-s3file
WEBgithub.com/codingjoe/django-s3file/security/advisories/GHSA-67qg-7284-2277