CVE-2026-59890
Received Received - Intake

setuptools Source Distribution Path Traversal via Unicode Normalization Bypass

Vulnerability report for CVE-2026-59890, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
pypa setuptools 83.0.0
pypa setuptools to 83.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-176 The product does not properly handle when an input contains Unicode encoding.
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59890 is a vulnerability in setuptools, a Python package management tool. The issue arises because setuptools matches file names against exclusion patterns from MANIFEST.in without normalizing Unicode characters. On macOS file systems like APFS and HFS+, file names can be stored in a decomposed Unicode form (NFD), while exclusion patterns are typically written in a composed form (NFC). This mismatch causes exclusion rules to fail, allowing files that should be excluded to be included in source distributions.

Impact Analysis

This vulnerability can lead to unintended inclusion of files in source distributions, especially on macOS systems. Files that were meant to be excluded, such as sensitive or private configuration files, could be packaged and published unintentionally. This may result in irreversible disclosure of sensitive information when these packages are uploaded to public repositories like PyPI.

Detection Guidance

This vulnerability involves the failure of MANIFEST.in exclusion rules due to Unicode normalization differences on macOS filesystems (APFS/HFS+). Detection involves verifying whether source distributions (sdist) created by setuptools include files that should have been excluded by MANIFEST.in rules, especially files with non-ASCII names.

Since the issue is related to Unicode normalization forms (NFD vs NFC) on macOS, you can check for the presence of excluded files in source distributions by inspecting the contents of the generated sdist packages.

Suggested commands to detect this issue include:

  • On macOS, list files in the source distribution archive and check for unexpected files with non-ASCII names: tar -tf <source-distribution>.tar.gz | grep -P '[^\x00-\x7F]'
  • Compare the files listed in MANIFEST.in exclude or prune rules with the actual files included in the sdist to identify discrepancies.
  • Use Python scripts to normalize filenames in the source directory and compare them against MANIFEST.in patterns to detect mismatches.
Mitigation Strategies

The primary mitigation is to upgrade setuptools to version 83.0.0 or later, where this vulnerability is fixed by normalizing both MANIFEST.in patterns and file paths to NFC before matching.

If upgrading immediately is not possible, as a temporary workaround, avoid building source distributions on macOS filesystems that use NFD normalization or manually verify that excluded files are not included in the sdist.

Review MANIFEST.in exclusion rules to ensure they are effective and consider normalizing filenames in your source tree to NFC before packaging.

Compliance Impact

The vulnerability in setuptools can lead to unintended inclusion of sensitive files, such as secrets or private configurations, in source distributions due to Unicode normalization mismatches on macOS filesystems.

This unintended disclosure could result in irreversible exposure of sensitive data when packages are published to public repositories like PyPI.

Such exposure of sensitive or confidential information may impact compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access or disclosure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart