CVE-2026-34591
Received Received - Intake
Directory Traversal in Poetry Allows Arbitrary File Write

Publication date: 2026-04-02

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious package is imported or invoked by the user.). This issue has been patched in version 2.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34591
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python-poetry poetry From 1.4.0 (inc) to 2.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34591 is a path traversal vulnerability in the Python dependency manager Poetry, specifically in its wheel installer component. Between versions 1.4.0 and before 2.3.3, Poetry did not properly validate file paths inside wheel packages during installation. Malicious wheel files could include crafted paths containing "../" sequences that allowed files to be written outside the intended installation directory.

This means an attacker could create a wheel package that, when installed, writes arbitrary files anywhere on the filesystem with the privileges of the Poetry process. The vulnerability arises because Poetry concatenated untrusted file paths from the wheel without resolving or checking if the resulting path escaped the target directory.

The issue was fixed in Poetry version 2.3.3 by adding strict path resolution and containment checks that ensure files are only written inside the intended installation directory, aborting installation if path traversal is detected.

Impact Analysis

This vulnerability allows an attacker to write arbitrary files anywhere on the filesystem with the permissions of the Poetry process during package installation. This can lead to unauthorized modification or overwriting of critical files, potentially compromising system integrity.

Although installing a malicious wheel alone does not execute malicious code, the attacker can place files outside the installation directory that might be executed or loaded later, leading to further exploitation.

Systems or CI/CD pipelines that automatically install packages using Poetry are particularly at risk if they install untrusted or compromised wheel packages.

Detection Guidance

This vulnerability can be detected by checking if your Poetry installation version is between 1.4.0 and before 2.3.3, as these versions are vulnerable to path traversal attacks during wheel installation.

To detect exploitation attempts or presence of malicious files, you can look for unexpected files written outside the normal Poetry installation directories, especially files with path traversal patterns like "../" in their paths.

Since the vulnerability involves malicious wheel files writing files outside the intended directory, monitoring file system changes during package installation can help detect suspicious activity.

Suggested commands to help detect potential exploitation attempts include:

  • Check Poetry version installed: `poetry --version`
  • Search for recently created or modified files outside expected Poetry directories, for example: `find /path/to/poetry/install/parent -type f -mtime -7` to find files modified in the last 7 days.
  • Look for files with suspicious names or paths containing ".." sequences: `find / -path "*..*" -ls` (requires appropriate permissions).
  • Monitor installation logs or run Poetry installs in verbose/debug mode to detect errors or warnings related to path traversal or file write failures.

Note that no specific detection commands are provided in the resources, but these general approaches align with the nature of the vulnerability.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Poetry to version 2.3.3 or later, where the vulnerability has been fixed by enforcing strict path resolution and containment checks during wheel installation.

If upgrading immediately is not possible, avoid installing untrusted or malicious wheel packages, as the vulnerability is exploitable via crafted wheel files.

Additionally, consider running Poetry installations with least privilege to limit the impact of any arbitrary file writes.

Review and monitor your system for any unauthorized files that may have been written outside the intended directories during package installations.

Apply any relevant patches or updates provided by your package manager or distribution that include the fix for CVE-2026-34591.

Compliance Impact

The vulnerability CVE-2026-34591 allows arbitrary file writes outside the intended installation directory by malicious wheel files during Poetry package installation. This unauthorized file write capability could potentially lead to system compromise or data integrity issues.

While the provided context does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to write arbitrary files with the privileges of the Poetry process could lead to unauthorized data modification or exposure, which may violate data protection and security requirements mandated by such regulations.

Therefore, organizations using affected versions of Poetry might face increased risk of non-compliance with security and data protection standards if this vulnerability is exploited, especially in environments handling sensitive or regulated data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34591. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart