CVE-2026-3029: Arbitrary File Write via Path Traversal in PyMuPDF CLI
Vulnerability ID: CVE-2026-3029
CVSS Score: 7.8
Published: 2026-03-19
CVE-2026-3029 is a high-severity path traversal vulnerability in the PyMuPDF library, specifically within the CLI extraction utility. The flaw allows an attacker to craft a malicious PDF that, when processed without an explicit output directory, writes embedded files to arbitrary locations on the host filesystem.
TL;DR
A path traversal vulnerability in PyMuPDF's CLI allows arbitrary file writes when extracting embedded files from untrusted PDFs.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Local
- CVSS Score: 7.8
- Impact: Arbitrary File Write
- Exploit Status: Proof-of-Concept Available
- KEV Status: Not Listed
Affected Systems
- PyMuPDF CLI Tool
-
PyMuPDF: <= 1.26.5 (Fixed in:
1.26.7)
Code Analysis
Commit: 603cafe
Fix path traversal in embedded_get by validating path boundaries and adding -unsafe flag.
Exploit Details
- GitHub: Test suite PoC within the PyMuPDF repository (tests/test_4767.py)
Mitigation Strategies
- Upgrade PyMuPDF to version 1.26.7 or later.
- Always use the
-outputargument when extracting embedded files using the CLI tool. - Avoid using the
-unsafeflag introduced in 1.26.7 on untrusted documents.
Remediation Steps:
- Identify all systems and environments utilizing the PyMuPDF library.
- Update the library via package managers (e.g.,
pip install --upgrade pymupdf). - Audit automated scripts utilizing the
pymupdf embed-extractcommand to ensure the-outputargument is hardcoded. - Verify the update by extracting a test PDF with path traversal payloads to confirm the application rejects the operation.
References
Read the full report for CVE-2026-3029 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)