CVE-2026-3219
Received Received - Intake
Archive Ambiguity Vulnerability in pip Causes Incorrect Installations

Publication date: 2026-04-20

Last updated on: 2026-04-20

Assigner: Python Software Foundation

Description
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3219
EUVD
EUVD-2026-23866
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pypa pip 26.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3219 is a medium severity vulnerability in pip, the Python package installer. The issue arises because pip incorrectly handles files that are concatenated ZIP and tar archives by treating them solely as ZIP files, regardless of the filename or the fact that the file may be both a tar and ZIP archive.

This behavior can lead to confusing installation outcomes, such as installing incorrect files that do not match the archive's filename. The fix requires pip to proceed with installation only if the archive file can be uniquely identified as either a ZIP or a tar archive, but not both.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can cause pip to install incorrect files during package installation because it treats concatenated tar and ZIP files as ZIP files regardless of their actual format or filename.

Such confusing installation behavior could lead to unexpected or unintended code being installed, which may affect the reliability and security of your Python environment.

Detection Guidance

This vulnerability involves pip incorrectly handling files that are both tar and ZIP archives by treating them solely as ZIP files. Detection involves identifying such ambiguous archive files that could be misinterpreted during installation.

To detect potentially problematic files, you can use Python's standard library functions to check if a file is recognized as both a ZIP and a tar archive, which indicates ambiguity:

  • Use Python commands to test a file's archive type:
  • ```python import zipfile import tarfile filename = 'yourfile' is_zip = zipfile.is_zipfile(filename) is_tar = tarfile.is_tarfile(filename) print(f'Is ZIP: {is_zip}, Is TAR: {is_tar}') ```

If both `is_zip` and `is_tar` return True, the file is ambiguous and could trigger the vulnerability.

Mitigation Strategies

To mitigate this vulnerability, you should update pip to version 26.1 or later, where the fix has been implemented.

The fix ensures pip only proceeds with installation if the archive file is uniquely identified as either a ZIP or a tar archive, preventing ambiguous unpacking.

Additionally, PyPI’s backend (Warehouse) already rejects polyglot files that are valid as multiple archive types, reducing the risk of malformed uploads exploiting this issue.

  • Upgrade pip to version 26.1 or later using the command: ```bash python -m pip install --upgrade pip ```
  • Avoid installing packages from untrusted sources that might contain ambiguous archive files.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart