CVE-2026-3479
Received Received - Intake
Path Traversal Vulnerability in Python pkgutil.get_data() Function

Publication date: 2026-03-18

Last updated on: 2026-04-07

Assigner: Python Software Foundation

Description
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3479
EUVD
EUVD-2026-12940
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python cpython to 3.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-3479 is a low severity vulnerability in Python's pkgutil.get_data() function. The issue arises because the function does not properly validate the resource argument as documented, which allows path traversal attacks."}, {'type': 'paragraph', 'content': 'This means an attacker could potentially manipulate the resource path to access files outside the intended resource directory, leading to unauthorized data access.'}] [1, 2, 3]

Impact Analysis

The vulnerability allows an attacker to perform path traversal by supplying crafted resource arguments to pkgutil.get_data(), potentially accessing files outside the intended scope.

This unauthorized access could expose sensitive data or system files that should not be accessible through the application using this function.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate CVE-2026-3479, you should update your Python installations to versions that include the security patch for pkgutil.get_data().

  • Apply the patch merged on March 18, 2026, which enforces strict validation of the resource argument in pkgutil.get_data().
  • Upgrade to Python versions 3.10, 3.11, 3.12, 3.13, 3.14 or later where the fix has been backported.
  • Ensure that your environment does not use vulnerable versions of Python prior to the patch.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart