CVE-2026-3219
Archive Ambiguity Vulnerability in pip Causes Incorrect Installations
Publication date: 2026-04-20
Last updated on: 2026-04-20
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pypa | pip | 26.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3219 is a medium severity vulnerability in pip, the Python package installer. The issue arises because pip incorrectly handles files that are concatenated ZIP and tar archives by treating them solely as ZIP files, regardless of the filename or the fact that the file may be both a tar and ZIP archive.
This behavior can lead to confusing installation outcomes, such as installing incorrect files that do not match the archive's filename. The fix requires pip to proceed with installation only if the archive file can be uniquely identified as either a ZIP or a tar archive, but not both.
How can this vulnerability impact me? :
This vulnerability can cause pip to install incorrect files during package installation because it treats concatenated tar and ZIP files as ZIP files regardless of their actual format or filename.
Such confusing installation behavior could lead to unexpected or unintended code being installed, which may affect the reliability and security of your Python environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves pip incorrectly handling files that are both tar and ZIP archives by treating them solely as ZIP files. Detection involves identifying such ambiguous archive files that could be misinterpreted during installation.
To detect potentially problematic files, you can use Python's standard library functions to check if a file is recognized as both a ZIP and a tar archive, which indicates ambiguity:
- Use Python commands to test a file's archive type:
- ```python import zipfile import tarfile filename = 'yourfile' is_zip = zipfile.is_zipfile(filename) is_tar = tarfile.is_tarfile(filename) print(f'Is ZIP: {is_zip}, Is TAR: {is_tar}') ```
If both `is_zip` and `is_tar` return True, the file is ambiguous and could trigger the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update pip to version 26.1 or later, where the fix has been implemented.
The fix ensures pip only proceeds with installation if the archive file is uniquely identified as either a ZIP or a tar archive, preventing ambiguous unpacking.
Additionally, PyPIβs backend (Warehouse) already rejects polyglot files that are valid as multiple archive types, reducing the risk of malformed uploads exploiting this issue.
- Upgrade pip to version 26.1 or later using the command: ```bash python -m pip install --upgrade pip ```
- Avoid installing packages from untrusted sources that might contain ambiguous archive files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.