CVE-2026-1703

N/A Unknown

Path Traversal

📋 TL;DR

This CVE describes a path traversal vulnerability in pip's wheel archive extraction. When installing a maliciously crafted wheel file, attackers can write files outside the intended installation directory, potentially to parent directories. This affects users who install Python packages from untrusted sources using vulnerable pip versions.

💻 Affected Systems

Products:

• pip

Versions: All versions before the fix

Operating Systems: All operating systems where pip is used

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects wheel archive installation, not other package formats. Requires user to install a malicious package.

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could write arbitrary files to parent directories of the installation location, potentially overwriting configuration files or planting backdoors in adjacent directories.

🟠

Likely Case

Limited file writes to parent directories of the installation location, but unable to overwrite system executables or critical files in typical configurations.

🟢

If Mitigated

No impact if installing only from trusted sources or using updated pip versions.

🌐 Internet-Facing: MEDIUM - Attackers could host malicious wheels on PyPI or other package repositories.

🏢 Internal Only: LOW - Requires users to install malicious packages from internal sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires crafting a malicious wheel file and convincing users to install it. The path traversal is limited to prefixes of the installation directory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in pip versions after commit 8e227a9be4faa9594e05d02ca05a413a2a4e7735

Vendor Advisory: https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/

Restart Required: No

Instructions:

1. Update pip using: python -m pip install --upgrade pip
2. Verify the update with: pip --version

🔧 Temporary Workarounds

Install from trusted sources only

all

Only install Python packages from trusted repositories and verified maintainers.

Use virtual environments

all

Install packages in isolated virtual environments to limit potential damage.

Copy

python -m venv myenv
source myenv/bin/activate (Linux/Mac)
myenv\Scripts\activate (Windows)

🧯 If You Can't Patch

• Only install packages from trusted sources and verified maintainers
• Use virtual environments with limited permissions for package installation

🔍 How to Verify

Check if Vulnerable:

Copy

Check pip version and compare against fixed versions. Vulnerable if using pip before the security fix.

Check Version:

Copy

pip --version

Verify Fix Applied:

Copy

Verify pip version is updated and test with known safe wheel packages.

📡 Detection & Monitoring

Log Indicators:

• Unusual file writes outside expected installation directories during pip install operations
• Installation of packages from untrusted sources

Network Indicators:

• Downloads from unusual package repositories or untrusted sources

SIEM Query:

Copy

Process execution: pip install with arguments pointing to unusual sources OR File creation: files written outside expected pip installation directories

📊 Metadata

CVE ID: CVE-2026-1703

CVSS v3 Score: N/A (Unknown)

CWE: CWE-22

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

• https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
• https://github.com/pypa/pip/pull/13777
• https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/

📤 Share This

Twitter LinkedIn Reddit Copy Link