Information disclosure via pydoc getfile


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

Running “pydoc -p” allows other local users to extract arbitrary files.

The “/getfile?key=path” URL allows to read arbitrary file on the filesystem.


  • Disclosure date: 2021-01-21 (Python issue bpo-42988 reported)
  • Reported at: 2021-01-19
  • Reported by: David Schwörer (on the Fedora bugzilla)

Fixed In

Python issue

[security] CVE-2021-3426: Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem.

  • Python issue: bpo-42988
  • Creation date: 2021-01-21
  • Reporter: Miro Hrončok


There’s a flaw in Python 3’s pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.


Timeline using the disclosure date 2021-01-21 as reference: