DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32274: CVE-2026-32274: Arbitrary File Write via Path Traversal in Black Python Formatter

#security #cve #cybersecurity

CVE-2026-32274: Arbitrary File Write via Path Traversal in Black Python Formatter

Vulnerability ID: CVE-2026-32274
CVSS Score: 8.7
Published: 2026-03-12

A path traversal vulnerability (CWE-22) in the cache mechanism of the Black Python code formatter allows an attacker to write files to arbitrary locations on the filesystem. The vulnerability stems from improper sanitization of the --python-cell-magics parameter when constructing cache keys.

TL;DR

Black versions prior to 26.3.1 fail to properly hash short user-controlled configurations, leading to a path traversal vulnerability. An attacker can use crafted parameters to write arbitrary cache files outside the designated cache directory.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network / Local Configuration
  • CVSS v4.0: 8.7
  • Impact: Arbitrary File Write
  • Exploit Status: Proof of Concept (PoC)
  • Fixed Version: 26.3.1

Affected Systems

  • psf/black
  • blackd daemon
  • psf/black: < 26.3.1 (Fixed in: 26.3.1)

Code Analysis

Commit: 4937fe6

Remove conditional hashing for cache keys to prevent path traversal via python_cell_magics

Mitigation Strategies

  • Upgrade psf/black to version 26.3.1 or later
  • Disable the blackd daemon on local developer workstations unless strictly required
  • Implement CORS restrictions using --cors-allow-origin if blackd must be exposed
  • Audit repository pyproject.toml files for anomalous python-cell-magics configurations

Remediation Steps:

  1. Execute black --version to identify the currently installed version.
  2. If the version is prior to 26.3.1, execute pip install -U black to apply the patch.
  3. Restart any running instances of the blackd service to ensure the patched code is loaded into memory.
  4. Review CI/CD pipeline definitions (e.g., GitHub Actions, GitLab CI) to ensure they are pulling the secure version of Black.

References

Read the full report for CVE-2026-32274 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)