Skip to content

Proof download throws 500 #14467

New issue
New issue
Open
#14478
Open
Proof download throws 500#14467
#14478
Labels
bug
@jikaven

Description

@jikaven
jikaven
opened on Mar 9, 2026

Bug description
When marking a finding as "risk accepted" there is an option to upload a file containing Proof.
Then once a user wishes to download the file, DefectDojo throws:

Image

With the logs showing:

Image

Steps to reproduce
Steps to reproduce the behavior:

  1. Go to findings and click on a findings hamburger menu
  2. Click on 'Add Risk Acceptance...'
  3. Scroll down to 'Proof' and upload an image (for example a screenshot)
  4. Click on 'Save' at the bottom of the page
  5. Go to the engagement that the finding was from and click on the specific "Risk Acceptance"
  6. Click on the entry under "Uploaded Proof"
  7. See error

Expected behavior
DefectDojo starts download/displays image

Deployment method (select with an X)

  • Docker Compose
  • GoDojo
  • Kubernetes

Environment information

  • Operating System: Alpine Linux
  • Docker Compose: Docker Compose version v5.0.2
  • DefectDojo version: v. 2.55.1 (but suspected code is present in 2.56.0 too)

Logs

uwsgi-1          | [09/Mar/2026 09:26:32] ERROR [django.request:253] Internal Server Error: /engagement/1/risk_acceptance/4/download
uwsgi-1          | Traceback (most recent call last):
uwsgi-1          |   File "/usr/local/lib/python3.13/site-packages/django/core/handlers/exception.py", line 55, in inner
uwsgi-1          |     response = get_response(request)
uwsgi-1          |   File "/usr/local/lib/python3.13/site-packages/django/core/handlers/base.py", line 197, in _get_response
uwsgi-1          |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
uwsgi-1          |   File "/app/dojo/authorization/authorization_decorators.py", line 36, in _wrapped
uwsgi-1          |     return func(request, *args, **kwargs)
uwsgi-1          |   File "/app/dojo/engagement/views.py", line 1584, in download_risk_acceptance
uwsgi-1          |     (Path(settings.MEDIA_ROOT) / "risk_acceptance.path.name").open(mode="rb")))
uwsgi-1          |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^
uwsgi-1          |   File "/usr/local/lib/python3.13/pathlib/_local.py", line 537, in open
uwsgi-1          |     return io.open(self, mode, buffering, encoding, errors, newline)

Additional context
I believe that the error stems from the following line:

django-DefectDojo/dojo/engagement/views.py

Line 1583 in 8270f98

(Path(settings.MEDIA_ROOT) / "risk_acceptance.path.name").open(mode="rb")))

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions