{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42561","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-04-28T16:56:50.192Z","datePublished":"2026-05-13T20:55:11.767Z","dateUpdated":"2026-07-15T00:57:13.760Z"},"containers":{"cna":{"title":"Python-Multipart: Denial of Service via unbounded multipart part headers","problemTypes":[{"descriptions":[{"cweId":"CWE-770","lang":"en","description":"CWE-770: Allocation of Resources Without Limits or Throttling","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g","tags":["x_refsource_CONFIRM"],"url":"https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g"}],"affected":[{"vendor":"Kludex","product":"python-multipart","versions":[{"version":"< 0.0.27","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-13T20:55:11.767Z"},"descriptions":[{"lang":"en","value":"Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27."}],"source":{"advisory":"GHSA-pp6c-gr5w-3c5g","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-14T16:04:33.782234Z","id":"CVE-2026-42561","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-14T19:52:12.815Z"}},{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift_ai:3.3::el9"],"defaultStatus":"affected","packageName":"rhoai/odh-mlserver-rhel9","product":"Red Hat OpenShift AI 3.3","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1782887848","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:exploit_intelligence:0"],"defaultStatus":"affected","packageName":"exploit-intelligence-tech-preview/vulnerability-analysis-rhel9","product":"Exploit Intelligence","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:migration_toolkit_applications:8"],"defaultStatus":"affected","packageName":"mta/mta-solution-server-rhel9","product":"Migration Toolkit for Applications 8","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"unaffected","packageName":"openshift-lightspeed/lightspeed-ocp-rag-rhel9","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"unaffected","packageName":"openshift-lightspeed/lightspeed-service-api-rhel9","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","packageName":"rhaiis/vllm-cpu-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"unaffected","packageName":"rhaiis/vllm-cuda-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","packageName":"rhaiis/vllm-neuron-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"unaffected","packageName":"rhaiis/vllm-rocm-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","packageName":"rhaiis/vllm-spyre-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","packageName":"rhaiis/vllm-tpu-rhel9","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform-25/lightspeed-chatbot-rhel8","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform-26/lightspeed-chatbot-rhel9","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform-26/mcp-tools-rhel9","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform-27/lightspeed-chatbot-rhel9","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform-27/mcp-tools-rhel9","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-aws-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-azure-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-azure-rocm-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-gaudi-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-gcp-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/bootc-rocm-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","packageName":"rhelai3/disk-image-cuda-rhel9","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-caikit-nlp-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-caikit-tgis-serving-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","packageName":"rhoai/odh-feature-server-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-kserve-agent-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-kserve-controller-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-kserve-router-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-kserve-storage-initializer-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-llama-stack-core-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","packageName":"rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","packageName":"rhoai/odh-vllm-cuda-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","packageName":"rhoai/odh-vllm-gaudi-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","packageName":"rhoai/odh-vllm-rocm-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"unaffected","packageName":"satellite/foreman-mcp-server-rhel9","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"affected","packageName":"satellite/iop-advisor-engine-rhel9","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"affected","packageName":"satellite/iop-host-inventory-rhel9","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"affected","packageName":"satellite/iop-vmaas-rhel9","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"affected","packageName":"satellite/iop-vulnerability-engine-rhel9","product":"Red Hat Satellite 6","vendor":"Red Hat"}],"datePublic":"2026-05-13T20:55:11.767Z","descriptions":[{"lang":"en","value":"A flaw was found in python-multipart. A remote attacker can exploit this denial of service (DoS) vulnerability by sending a specially crafted request with an excessive number of part headers or a single very large header value during multipart/form-data parsing. This can lead to excessive CPU utilization, resulting in a denial of service for the affected system."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-606","description":"Unchecked Input for Loop Condition","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-42561"},{"name":"RHBZ#2477309","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477309"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42561.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:37275"}],"solutions":[{"lang":"en","value":"RHSA-2026:37275: Red Hat OpenShift AI 3.3"}],"timeline":[{"lang":"en","time":"2026-05-13T22:01:05.319Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-13T20:55:11.767Z","value":"Made public."}],"title":"python-multipart: python-multipart: Denial of Service via excessive multipart part headers","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-15T00:57:13.760Z"}}]}}