CVE-2026-5271
Module Shadowing Vulnerability in pymanager via sys.path Inclusion
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | pymanager | 26.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5271 is a moderate severity vulnerability in the Python package manager "pymanager" caused by the inclusion of the current working directory (CWD) in Python's module search path (`sys.path`). Specifically, pymanager sets `sys.path[0]` to an empty string, which Python interprets as the CWD. This means that when a Python module is imported, the interpreter will prioritize modules found in the CWD over standard or trusted locations.
As a result, if a user runs a pymanager-generated command (like `pip` or `pytest`) from a directory controlled by an attacker, a malicious module placed in that directory can be imported and executed instead of the legitimate one. This leads to arbitrary local code execution without requiring elevated privileges.
The vulnerability arises from the line in pymanager's code: `sys.path[0] = ""`, which prioritizes untrusted directories during module import resolution. It can be triggered through normal developer workflows and affects any command executed via pymanager alias wrappers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary local code execution by importing malicious modules from attacker-controlled directories when running pymanager-generated commands. This unauthorized code execution can compromise the integrity of the system and potentially lead to unauthorized access or manipulation of sensitive data.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the integrity impact and potential for unauthorized code execution could pose risks to data protection and privacy requirements mandated by such regulations.
Organizations relying on pymanager in development or production environments should consider this vulnerability as a risk factor that could affect compliance by enabling attackers to execute malicious code, potentially leading to data breaches or unauthorized data processing.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized local code execution if an attacker can place a malicious Python module in a directory from which you run pymanager commands. Because the current working directory is prioritized in module loading, the malicious module will be imported instead of the legitimate one.
The impact includes potential integrity compromise of your development environment or tools, as arbitrary code can be executed without requiring elevated privileges. This can lead to further exploitation or manipulation of your system or development workflow.
It is particularly dangerous in scenarios such as cloned repositories from untrusted sources, extracted archives, or shared development environments where attackers can place malicious modules in directories used by developers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if pymanager alias wrappers set sys.path[0] to an empty string ("") which prioritizes the current working directory (CWD) in module resolution.
To detect potential exploitation or presence of malicious modules, you can inspect the current directory for suspicious Python modules that could shadow legitimate ones.
- Run commands from directories you control and check for unexpected module imports.
- Use the following command to list Python files in the current directory that could shadow standard modules: `ls *.py`
- Check the sys.path order in a Python interpreter launched via pymanager alias wrapper by running: `python -c "import sys; print(sys.path[0])"` to verify if it is set to an empty string.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating pymanager to version 26.1 or later where the vulnerability is patched.
Avoid running pymanager commands from untrusted or attacker-controlled directories, such as cloned repositories or extracted archives from unknown sources.
Ensure that the current working directory does not contain malicious Python modules that could shadow legitimate ones.
Consider running pymanager commands from trusted directories or explicitly setting the PYTHONPATH environment variable to exclude the current directory.