CVE-2026-5271
Awaiting Analysis Awaiting Analysis - Queue
Module Shadowing Vulnerability in pymanager via sys.path Inclusion

Publication date: 2026-04-01

Last updated on: 2026-04-07

Assigner: Python Software Foundation

Description
pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory.Β As a result, if a user executes a pymanager-generated command (e.g., pip, pytest) from an attacker-controlled directory, a malicious module in that directory can be imported and executed instead of the intended package.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5271
EUVD
EUVD-2026-17911
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python pymanager 26.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5271 is a moderate severity vulnerability in the Python package manager "pymanager" caused by the inclusion of the current working directory (CWD) in Python's module search path (`sys.path`). Specifically, pymanager sets `sys.path[0]` to an empty string, which Python interprets as the CWD. This means that when a Python module is imported, the interpreter will prioritize modules found in the CWD over standard or trusted locations.

As a result, if a user runs a pymanager-generated command (like `pip` or `pytest`) from a directory controlled by an attacker, a malicious module placed in that directory can be imported and executed instead of the legitimate one. This leads to arbitrary local code execution without requiring elevated privileges.

The vulnerability arises from the line in pymanager's code: `sys.path[0] = ""`, which prioritizes untrusted directories during module import resolution. It can be triggered through normal developer workflows and affects any command executed via pymanager alias wrappers.

Compliance Impact

The vulnerability allows arbitrary local code execution by importing malicious modules from attacker-controlled directories when running pymanager-generated commands. This unauthorized code execution can compromise the integrity of the system and potentially lead to unauthorized access or manipulation of sensitive data.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the integrity impact and potential for unauthorized code execution could pose risks to data protection and privacy requirements mandated by such regulations.

Organizations relying on pymanager in development or production environments should consider this vulnerability as a risk factor that could affect compliance by enabling attackers to execute malicious code, potentially leading to data breaches or unauthorized data processing.

Impact Analysis

This vulnerability can lead to unauthorized local code execution if an attacker can place a malicious Python module in a directory from which you run pymanager commands. Because the current working directory is prioritized in module loading, the malicious module will be imported instead of the legitimate one.

The impact includes potential integrity compromise of your development environment or tools, as arbitrary code can be executed without requiring elevated privileges. This can lead to further exploitation or manipulation of your system or development workflow.

It is particularly dangerous in scenarios such as cloned repositories from untrusted sources, extracted archives, or shared development environments where attackers can place malicious modules in directories used by developers.

Detection Guidance

This vulnerability can be detected by checking if pymanager alias wrappers set sys.path[0] to an empty string ("") which prioritizes the current working directory (CWD) in module resolution.

To detect potential exploitation or presence of malicious modules, you can inspect the current directory for suspicious Python modules that could shadow legitimate ones.

  • Run commands from directories you control and check for unexpected module imports.
  • Use the following command to list Python files in the current directory that could shadow standard modules: `ls *.py`
  • Check the sys.path order in a Python interpreter launched via pymanager alias wrapper by running: `python -c "import sys; print(sys.path[0])"` to verify if it is set to an empty string.
Mitigation Strategies

Immediate mitigation involves updating pymanager to version 26.1 or later where the vulnerability is patched.

Avoid running pymanager commands from untrusted or attacker-controlled directories, such as cloned repositories or extracted archives from unknown sources.

Ensure that the current working directory does not contain malicious Python modules that could shadow legitimate ones.

Consider running pymanager commands from trusted directories or explicitly setting the PYTHONPATH environment variable to exclude the current directory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart