CVE-2026-8643
pip Entry Point Path Traversal Vulnerability
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pypa | pip | 26.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8643 is a path traversal vulnerability in pip where console_scripts and gui_scripts entry points are treated as paths instead of file names without proper sanitization.
This flaw allows malicious entry point names containing path separators to escape the intended installation directory, leading to scripts being installed outside the designated directory.
As a result, attackers could overwrite arbitrary files on the system during wheel installations.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to overwrite arbitrary files on your system by installing scripts outside the intended installation directory.
Such arbitrary file overwrite could lead to unauthorized code execution, system compromise, or corruption of important files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves pip treating console_scripts and gui_scripts entry points as paths instead of file names, allowing installation of scripts outside the intended directory. Detection would involve checking for any installed scripts or entry points that reside outside the designated scripts directory.
Since the vulnerability is related to path traversal during wheel installation, you can inspect installed scripts for suspicious path separators or locations outside the expected installation directory.
Suggested commands to detect potential exploitation might include searching for scripts installed outside the normal pip scripts directory. For example, on Unix-like systems:
- find $(python3 -m site --user-base)/bin -type f -exec ls -l {} +
- find /usr/local/bin /usr/bin -type f -name '*-script.py' -exec grep -l '../' {} +
These commands help identify scripts installed in unexpected locations or containing suspicious path references. Additionally, reviewing pip installation logs for warnings or errors related to entry point installation paths may help.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade pip to version 26.1.2 or later, where the issue has been fixed by rejecting entry points that would install scripts outside the designated scripts directory.
Avoid installing wheels or packages from untrusted sources that might exploit this path traversal vulnerability.
Review existing installed scripts for any that may have been installed outside the intended directories and remove or reinstall them safely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-8643 is a path traversal vulnerability in pip that could allow arbitrary file overwrite by installing scripts outside the intended directory. This could potentially lead to unauthorized modification of sensitive files.
Such unauthorized file overwrites may pose risks to data integrity and security, which are critical aspects of compliance with standards like GDPR and HIPAA. However, the provided information does not explicitly discuss the impact on compliance with these or other regulations.