Description
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
Published: 2026-01-10
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Path Manipulation via Symlink Race Condition
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a time‑of‑check to time‑of‑use race in directory creation within virtualenv. Prior to version 20.36.1 an attacker with local access can create a symlink at a path that virtualenv checks for existence before creating. The resulting race allows the symlink to be resolved to an attacker‑controlled target so that virtualenv’s app_data or lock files are written to an unintended location. This can lead to unintended file writes or overwriting of system files and data leakage. The weakness is represented by CWE‑362 for race conditions and CWE‑59 for unsafe path handling.

Affected Systems

Any installation of the Python virtualenv package from the PyPA project that predates version 20.36.1. The vulnerability applies to all platforms where virtualenv can be executed locally, including Windows, macOS and Linux systems that use Python environments.

Risk and Exploitability

The CVSS score of 4.5 indicates moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. A local attacker who can run code in the user’s environment can trigger the race by manipulating the filesystem just before virtualenv is invoked. Because the flaw depends on creating a symlink after the existence check, an attacker must have the ability to write to the target directory and to control the symlink creation timing; otherwise the vulnerability cannot be abused.

Generated by OpenCVE AI on April 18, 2026 at 07:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade virtualenv to version 20.36.1 or later.
  • Verify that the directory used by virtualenv for app_data and lock files is owned by a trusted user and not writable by untrusted processes.
  • If an update cannot be performed immediately, restrict virtualenv execution to trusted code paths and avoid running it with elevated privileges on systems where local attackers exist.

Generated by OpenCVE AI on April 18, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-597g-3phw-6986 virtualenv Has TOCTOU Vulnerabilities in Directory Creation
History

Wed, 18 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:virtualenv:virtualenv:*:*:*:*:*:*:*:*

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Virtualenv
Virtualenv virtualenv
Vendors & Products Virtualenv
Virtualenv virtualenv

Sun, 11 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 10 Jan 2026 06:30:00 +0000

Type Values Removed Values Added
Description virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
Title virtualenv Has TOCTOU Vulnerabilities in Directory Creation
Weaknesses CWE-362
CWE-59
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Virtualenv Virtualenv
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T16:44:12.734Z

Reserved: 2026-01-08T19:23:09.857Z

Link: CVE-2026-22702

cve-icon Vulnrichment

Updated: 2026-01-12T16:44:09.679Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T07:16:02.857

Modified: 2026-02-18T17:43:08.147

Link: CVE-2026-22702

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-10T06:05:53Z

Links: CVE-2026-22702 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses