CVE-2026-6357
Improper Module Import in pip Self-Update Risks Code Execution
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | pip | to 26.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade pip to version 26.1 or later, where the self-update check runs before wheel installations, preventing the vulnerability.
Users should also review package contents prior to installation to avoid installing malicious packages.
If upgrading is not immediately possible, consider disabling the self-update check feature if supported, as a fallback to reduce risk.
Monitor pip operations for unusual behavior and ensure that your environment restricts untrusted package installations.
Can you explain this vulnerability to me?
CVE-2026-6357 is a vulnerability in pip versions prior to 26.1 related to the self-update check functionality. Before version 26.1, pip performed a self-update check after installing wheel files, which required importing well-known Python modules. These imports were deferred to improve startup time, but this behavior allowed newly-installed modules to be imported shortly after installation, potentially leading to security risks.
The vulnerability was addressed by changing the self-update check to run before wheel installations. This prevents the import of newly-installed modules immediately after installation, reducing the risk of arbitrary code execution or other unintended side effects during the update process.
The fix also involved restructuring the self-version check to retrieve version information before installation, wrapping the logic in try-except blocks to handle exceptions gracefully, and improving robustness against network or package index issues.
How can this vulnerability impact me? :
This vulnerability could allow arbitrary code execution during the pip self-update process if malicious or compromised packages are installed. Because the self-update check ran after installing wheel files and imported newly-installed modules, an attacker could exploit this timing to execute harmful code.
Such an exploit could compromise the security of your Python environment, potentially leading to unauthorized actions, data breaches, or system instability.
By running the self-update check before wheel installation, the risk of importing malicious code immediately after installation is mitigated, improving the security and reliability of pip operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability relates to pip's self-update check running after wheel installations, which could import newly installed modules and potentially lead to arbitrary code execution. Detection involves monitoring pip's behavior during package installation, especially the timing of self-update checks.
Since the vulnerability is tied to pip versions prior to 26.1, a primary detection method is to check the installed pip version on your system.
- Run the command: python -m pip --version to determine the pip version.
- Observe pip logs or verbose output during package installation to detect if self-update checks occur after wheel installations.
No specific network commands or signatures are provided in the available resources to detect exploitation attempts on the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain any information regarding the impact of CVE-2026-6357 on compliance with common standards and regulations such as GDPR or HIPAA.