Description
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via arbitrary file permission modification
Action: Patch
AI Analysis

Impact

The vulnerability resides in the wheel command line tool, which handles Python wheel files. In wheel versions 0.40.0 through 0.46.1, the unpack routine incorrectly trusts the filename supplied in the archive header when performing a chmod operation, even after sanitizing the extraction path. Malicious wheel files can be crafted to alter the permissions of critical system files such as /etc/passwd, SSH keys, or configuration scripts. An attacker who can execute the unpack operation may gain write access to executable files and then modify them to run arbitrary code, thereby achieving privilege escalation or remote code execution. This flaw corresponds to file‑system path traversal and improper permission handling weaknesses.

Affected Systems

All installations of the wheel package from the wheel project, specifically pypa:wheel, that use wheel versions 0.40.0 through 0.46.1. Environments where wheel is employed to unpack distributions—such as development machines, CI pipelines, and deployment automation—are affected.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high denial or modification risk. The EPSS score is below 1%, suggesting a low probability of widespread exploitation at present, and no listing in the CISA KEV catalog. Based on the description, the likely attack vector is local, requiring an attacker to run the wheel unpack command with a crafted wheel file. If wheel is used in a CI or automated deployment scenario, the threat could become semi‑remote as the automation process executes the unpack. The exploit requires the ability to run the wheel tool and sufficient permissions to reach the target system's filesystem, but does not require elevated privileges to initiate the attack.

Generated by OpenCVE AI on April 18, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wheel package to version 0.46.2 or later, which contains the permission handling fix.
  • When rebuilding or deploying packages, verify wheel file integrity by checking checksums or signing signatures before unpacking.
  • Run wheel unpack operations under a non‑privileged user or within a restricted container to limit the impact of any potential permission changes.

Generated by OpenCVE AI on April 18, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8rrh-rw8j-w5fx Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack
Ubuntu USN Ubuntu USN USN-8221-1 wheel vulnerability
History

Wed, 18 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wheel Project
Wheel Project wheel
CPEs cpe:2.3:a:wheel_project:wheel:*:*:*:*:*:python:*:*
Vendors & Products Wheel Project
Wheel Project wheel

Fri, 23 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Pypa
Pypa wheel
Vendors & Products Pypa
Pypa wheel

Fri, 23 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 22 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 04:30:00 +0000

Type Values Removed Values Added
Description wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Title wheel Allows Arbitrary File Permission Modification via Path Traversal
Weaknesses CWE-22
CWE-732
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Pypa Wheel
Wheel Project Wheel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T14:58:36.933Z

Reserved: 2026-01-20T22:30:11.778Z

Link: CVE-2026-24049

cve-icon Vulnrichment

Updated: 2026-01-22T12:24:57.994Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T05:16:23.157

Modified: 2026-02-18T14:56:48.657

Link: CVE-2026-24049

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-22T04:02:08Z

Links: CVE-2026-24049 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses