CVE-2026-34591
Directory Traversal in Poetry Allows Arbitrary File Write
Publication date: 2026-04-02
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python-poetry | poetry | From 1.4.0 (inc) to 2.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-34591 allows arbitrary file writes outside the intended installation directory by malicious wheel files during Poetry package installation. This unauthorized file write capability could potentially lead to system compromise or data integrity issues.
While the provided context does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to write arbitrary files with the privileges of the Poetry process could lead to unauthorized data modification or exposure, which may violate data protection and security requirements mandated by such regulations.
Therefore, organizations using affected versions of Poetry might face increased risk of non-compliance with security and data protection standards if this vulnerability is exploited, especially in environments handling sensitive or regulated data.
Can you explain this vulnerability to me?
CVE-2026-34591 is a path traversal vulnerability in the Python dependency manager Poetry, specifically in its wheel installer component. Between versions 1.4.0 and before 2.3.3, Poetry did not properly validate file paths inside wheel packages during installation. Malicious wheel files could include crafted paths containing "../" sequences that allowed files to be written outside the intended installation directory.
This means an attacker could create a wheel package that, when installed, writes arbitrary files anywhere on the filesystem with the privileges of the Poetry process. The vulnerability arises because Poetry concatenated untrusted file paths from the wheel without resolving or checking if the resulting path escaped the target directory.
The issue was fixed in Poetry version 2.3.3 by adding strict path resolution and containment checks that ensure files are only written inside the intended installation directory, aborting installation if path traversal is detected.
How can this vulnerability impact me? :
This vulnerability allows an attacker to write arbitrary files anywhere on the filesystem with the permissions of the Poetry process during package installation. This can lead to unauthorized modification or overwriting of critical files, potentially compromising system integrity.
Although installing a malicious wheel alone does not execute malicious code, the attacker can place files outside the installation directory that might be executed or loaded later, leading to further exploitation.
Systems or CI/CD pipelines that automatically install packages using Poetry are particularly at risk if they install untrusted or compromised wheel packages.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Poetry installation version is between 1.4.0 and before 2.3.3, as these versions are vulnerable to path traversal attacks during wheel installation.
To detect exploitation attempts or presence of malicious files, you can look for unexpected files written outside the normal Poetry installation directories, especially files with path traversal patterns like "../" in their paths.
Since the vulnerability involves malicious wheel files writing files outside the intended directory, monitoring file system changes during package installation can help detect suspicious activity.
Suggested commands to help detect potential exploitation attempts include:
- Check Poetry version installed: `poetry --version`
- Search for recently created or modified files outside expected Poetry directories, for example: `find /path/to/poetry/install/parent -type f -mtime -7` to find files modified in the last 7 days.
- Look for files with suspicious names or paths containing ".." sequences: `find / -path "*..*" -ls` (requires appropriate permissions).
- Monitor installation logs or run Poetry installs in verbose/debug mode to detect errors or warnings related to path traversal or file write failures.
Note that no specific detection commands are provided in the resources, but these general approaches align with the nature of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Poetry to version 2.3.3 or later, where the vulnerability has been fixed by enforcing strict path resolution and containment checks during wheel installation.
If upgrading immediately is not possible, avoid installing untrusted or malicious wheel packages, as the vulnerability is exploitable via crafted wheel files.
Additionally, consider running Poetry installations with least privilege to limit the impact of any arbitrary file writes.
Review and monitor your system for any unauthorized files that may have been written outside the intended directories during package installations.
Apply any relevant patches or updates provided by your package manager or distribution that include the fix for CVE-2026-34591.