CVE-2026-8643
Analyzed Analyzed - Analysis Complete
pip Entry Point Path Traversal Vulnerability

Publication date: 2026-06-01

Last updated on: 2026-06-04

Assigner: Python Software Foundation

Description
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-04
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-8643
EUVD
EUVD-2026-33682
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pypa pip to 26.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8643 is a path traversal vulnerability in pip where console_scripts and gui_scripts entry points are treated as paths instead of file names without proper sanitization.

This flaw allows malicious entry point names containing path separators to escape the intended installation directory, leading to scripts being installed outside the designated directory.

As a result, attackers could overwrite arbitrary files on the system during wheel installations.

Impact Analysis

This vulnerability can allow an attacker to overwrite arbitrary files on your system by installing scripts outside the intended installation directory.

Such arbitrary file overwrite could lead to unauthorized code execution, system compromise, or corruption of important files.

Detection Guidance

This vulnerability involves pip treating console_scripts and gui_scripts entry points as paths instead of file names, allowing installation of scripts outside the intended directory. Detection would involve checking for any installed scripts or entry points that reside outside the designated scripts directory.

Since the vulnerability is related to path traversal during wheel installation, you can inspect installed scripts for suspicious path separators or locations outside the expected installation directory.

Suggested commands to detect potential exploitation might include searching for scripts installed outside the normal pip scripts directory. For example, on Unix-like systems:

  • find $(python3 -m site --user-base)/bin -type f -exec ls -l {} +
  • find /usr/local/bin /usr/bin -type f -name '*-script.py' -exec grep -l '../' {} +

These commands help identify scripts installed in unexpected locations or containing suspicious path references. Additionally, reviewing pip installation logs for warnings or errors related to entry point installation paths may help.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade pip to version 26.1.2 or later, where the issue has been fixed by rejecting entry points that would install scripts outside the designated scripts directory.

Avoid installing wheels or packages from untrusted sources that might exploit this path traversal vulnerability.

Review existing installed scripts for any that may have been installed outside the intended directories and remove or reinstall them safely.

Compliance Impact

CVE-2026-8643 is a path traversal vulnerability in pip that could allow arbitrary file overwrite by installing scripts outside the intended directory. This could potentially lead to unauthorized modification of sensitive files.

Such unauthorized file overwrites may pose risks to data integrity and security, which are critical aspects of compliance with standards like GDPR and HIPAA. However, the provided information does not explicitly discuss the impact on compliance with these or other regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart