CVE-2026-12003
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in Python Source Tree Build

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Python Software Foundation

Description
To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-12003
EUVD
EUVD-2026-37125
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
python python 3.13
python python 3.14
python python 3.11
python python 3.12
python python 3.15
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability arises from Python's build system using the VPATH variable to locate certain landmark files, such as Modules/setup.local, relative to the executable. When Python finds this landmark, it assumes it is running in a source tree and changes the default sys.path accordingly. This behavior remains in release builds to support in-tree layouts.

On Windows, VPATH is set to "..\..", which points outside the Python install directory. This can allow a low-privilege user to create the landmark file and an alternative Lib folder outside the install directory, potentially leading to privilege escalation if the Python installation is in a legacy default location where users have write permissions.

The vulnerability is due to this fallback mechanism that uses VPATH to find landmarks when a more specific landmark file (.\pybuilddir.txt) is absent. Future Python releases will remove this fallback to prevent such risks.

Impact Analysis

This vulnerability can allow a low-privilege user on Windows systems to create files and directories outside the Python install directory, such as the landmark file and an alternative Lib folder. This can lead to privilege escalation by causing Python to load malicious code or modules from these locations.

The risk is especially relevant for legacy Python installations in default locations where multiple users have write permissions to directories above the Python install path.

Mitigations include migrating to the new Python install manager for per-user installations, which restricts modification by other users, or preemptively creating and restricting access to the Modules directory to prevent unauthorized creation of landmarks.

Detection Guidance

This vulnerability involves Python builds detecting a landmark file (Modules/setup.local) relative to the VPATH variable, which on Windows points outside the install directory. Detection involves checking if such a landmark exists outside the Python install directory, especially in legacy installations where the directory two levels above the Python install directory is writable by low-privilege users.

To detect this on your system, you can check for the presence of the landmark file and the permissions of directories two levels above your Python installation. For example, on Windows, if your Python install is at C:\Python, check if C:\Modules\setup.local exists and if the directory permissions allow non-privileged users to create or modify files there.

Suggested commands on Windows PowerShell to check for the landmark and permissions might include:

  • Test-Path ..\..\Modules\setup.local -PathType Leaf
  • Get-Acl ..\..\Modules | Format-List

On Unix-like systems, since the vulnerability is less likely due to different build layouts, detection would focus on verifying if the pybuilddir.txt file is missing and if VPATH is overridden to point outside the install directory.

Mitigation Strategies

The primary mitigation is to migrate away from the legacy Python installer on Windows and use the new Python install manager to perform per-user installations. These per-user installs restrict modification by other users, removing the risk of privilege escalation.

Alternatively, you can preemptively create and restrict access to a Modules directory at the location two levels above the Python installation directory to prevent low-privilege users from creating the landmark file and alternative Lib folder.

For Python versions 3.13 and 3.14, updated legacy installers will be provided. Earlier versions receive fixes only as source updates, so rebuilding Python from source with the patch applied is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12003. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart