Path Traversal Vulnerability in gdown by Google
CVE-2026-40491

6.5MEDIUM

Key Information:

Vendor

Wkentaro

Status
Gdown
Vendor
CVE Published:
18 April 2026

What is CVE-2026-40491?

The gdown tool, a Google Drive downloader, has a vulnerability that allows attackers to exploit the extractall functionality through a Path Traversal attack. When handling specially crafted ZIP or TAR files, gdown does not properly sanitize the filenames of the included files. As a result, this flaw permits unauthorized file writes outside the intended extraction directory. This could lead to significant security risks, including arbitrary file overwrites and potential Remote Code Execution (RCE). Users are advised to upgrade to version 5.2.2 or later, which addresses this issue.

Affected Version(s)

gdown < 5.2.2

References

https://github.com/wkentaro/gdown/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/wkentaro/gdown/commit/af569fc6ed300b79...
x_refsource_MISC
https://github.com/wkentaro/gdown/releases/tag/v5.2.2
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.