CVE-2026-7774
Path Traversal in Python tarfile Module
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | python | From 3.11 (inc) to 3.15 (inc) |
| python | cpython | 3.10 |
| python | cpython | 3.11 |
| python | cpython | 3.12 |
| python | cpython | 3.13 |
| python | cpython | 3.14 |
| python | cpython | 3.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7774 is a security vulnerability in Python's tarfile.data_filter module that allows crafted tar archives to bypass path traversal protections.
Specifically, attackers can create malicious tar archives containing symlinks with empty or directory-like names that redirect files outside the intended extraction directory.
This happens because the data filter normalizes link names but performs containment checks on un-normalized values, allowing the bypass.
As a result, when using tarfile.extractall(), files can be written outside the destination directory, subject to the permissions of the extracting process.
How can this vulnerability impact me? :
This vulnerability can allow a malicious tar archive to write files outside the intended extraction directory.
An attacker could exploit this to overwrite or create files anywhere the extracting process has permission to write, potentially leading to unauthorized file modification or system compromise.
It could also enable replacing the destination directory itself with a symlink, redirecting all further file operations to unintended locations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-7774, you should update your Python installations to versions where the vulnerability has been patched. The fix validates the actual link targets being written during tarfile extraction to prevent path traversal bypasses.
- Apply patches or upgrade to Python versions 3.10 through 3.15 where backports addressing this issue have been prepared.
- Avoid extracting untrusted tar archives using tarfile.extractall() until the fix is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in tarfile.data_filter allows malicious tar archives to write files outside the intended extraction directory, potentially leading to unauthorized file writes. This could result in unauthorized access or modification of sensitive data if exploited in environments handling regulated information.
Such unauthorized file writes and potential data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and access. If exploited, this vulnerability might lead to breaches of protected data or system integrity, thereby violating these compliance requirements.