CVE-2026-8643
4.1
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Python Packaging Authority | pip | 24.0 < 26.1.2 | affected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
python-pip: Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite
Additional References
- https://access.redhat.com/security/cve/CVE-2026-8643
- https://bugzilla.redhat.com/show_bug.cgi?id=2460927
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8643.json
- https://access.redhat.com/errata/RHSA-2026:34374
- https://access.redhat.com/errata/RHSA-2026:33313
- https://access.redhat.com/errata/RHSA-2026:34891
- https://access.redhat.com/errata/RHSA-2026:34772
- https://access.redhat.com/errata/RHSA-2026:34778
- https://access.redhat.com/errata/RHSA-2026:34780
- https://access.redhat.com/errata/RHSA-2026:34773
- https://access.redhat.com/errata/RHSA-2026:34774
- https://access.redhat.com/errata/RHSA-2026:34739
- https://access.redhat.com/errata/RHSA-2026:34752
- https://access.redhat.com/errata/RHSA-2026:34765
- https://access.redhat.com/errata/RHSA-2026:34758
- https://access.redhat.com/errata/RHSA-2026:34756
- https://access.redhat.com/errata/RHSA-2026:34760
- https://access.redhat.com/errata/RHSA-2026:34776
- https://access.redhat.com/errata/RHSA-2026:34748
- https://access.redhat.com/errata/RHSA-2026:34775
- https://access.redhat.com/errata/RHSA-2026:34740
- https://access.redhat.com/errata/RHSA-2026:34749
- https://access.redhat.com/errata/RHSA-2026:34750
- https://access.redhat.com/errata/RHSA-2026:34741
- https://access.redhat.com/errata/RHSA-2026:34777
- https://access.redhat.com/errata/RHSA-2026:34456
References
- https://github.com/pypa/pip/pull/14000
- https://mail.python.org/archives/list/security-announce@python.org/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.