CVE-2026-24049
File Permission Modification in Python wheel Unpack Enables Privilege Escalation
Publication date: 2026-01-22
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wheel_project | wheel | From 0.40.0 (inc) to 0.46.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24049 is a vulnerability in the Python 'wheel' package's unpack function (versions 0.46.1 and below) where the code improperly applies file permissions after extracting files from a wheel archive. The unpack function blindly trusts filenames from the archive header, which can include path traversal sequences like '../'. This allows an attacker to craft a malicious wheel file that, when unpacked, changes the permissions of files outside the intended extraction directory, including critical system files. This can lead to unauthorized permission changes, enabling privilege escalation or arbitrary code execution. The issue was fixed in version 0.46.2 by applying permissions only to sanitized, extracted file paths. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to modify the permissions of arbitrary files on your system outside the intended extraction directory when unpacking a malicious wheel file. For example, critical system files like /etc/passwd, SSH keys, or configuration files could be made world-writable. This can lead to privilege escalation or arbitrary code execution, compromising system integrity and security. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your system has wheel package versions 0.46.1 or below installed, as these versions contain the vulnerable unpack function. To verify the installed version, you can run the command: `pip show wheel` or `pip list | grep wheel`. Additionally, to detect if malicious wheel files with path traversal entries have been unpacked, you can audit file permissions on critical system files (e.g., /etc/passwd, SSH keys) for unexpected permission changes (e.g., world-writable permissions). For example, use `ls -l /etc/passwd` or `find /etc -perm /o+w` to find files with write permissions for others. Monitoring unpacking operations or scanning wheel files for path traversal entries (filenames containing '../') before unpacking can also help detect attempts to exploit this vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the wheel package to version 0.46.2 or later, where the vulnerability has been fixed by ensuring that file permission changes are applied only to sanitized, extracted file paths within the intended directory. You can upgrade by running: `pip install --upgrade wheel`. Additionally, avoid unpacking wheel files from untrusted sources until the upgrade is applied. If you suspect exploitation, audit and restore permissions on critical system files that may have been altered. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to modify permissions of critical system files, potentially leading to privilege escalation or arbitrary code execution. Such unauthorized access or modification of sensitive files could result in violations of security requirements mandated by standards like GDPR or HIPAA, which require protection of data integrity and confidentiality. Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations by enabling unauthorized access or alteration of protected data or system configurations. [3]