Description
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
Published: 2026-04-27
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Directory traversal that allows extraction outside the intended target directory
Action: Apply Patch
AI Analysis

Impact

shutil.unpack_archive() extracts the contents of a ZIP file into a target directory, but when the archive contains an absolute Windows path that starts with a drive letter, the function ignores the target directory and writes files wherever the path points. This behavior enables an attacker to overwrite or create files outside the intended extraction area, effectively a directory traversal vulnerability (CWE‑22).

Affected Systems

All CPython releases that include the standard library function shutil.unpack_archive() are vulnerable on Windows. The flaw is specific to the Windows platform; other operating systems correctly enforce the target directory. Exact versions are not listed, so any CPython installation on Windows that calls unpack_archive to extract ZIP archives should be treated as affected until a patch is applied.

Risk and Exploitability

The CVSS score of 6 indicates medium severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires supply of a malicious ZIP file to code that calls unpack_archive, making the attack vector local or user‑controlled. An attacker could place files on the system, potentially overwriting existing files or writing malicious payloads to unintended locations.

Generated by OpenCVE AI on April 28, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest CPython release that incorporates the patch for this issue
  • Replace calls to shutil.unpack_archive with a custom extraction routine that validates or sanitizes each archive entry, rejecting absolute Windows paths that begin with a drive letter or a root slash
  • If an upgrade or replacement is not immediately possible, limit unpacking to a secured directory and explicitly check each path component before extraction to ensure it stays within the designated target

Generated by OpenCVE AI on April 28, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
Python python
CPEs cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:3.15.0:alpha_1:*:*:*:*:*:*
cpe:2.3:a:python:python:3.15.0:alpha_2:*:*:*:*:*:*
cpe:2.3:a:python:python:3.15.0:alpha_3:*:*:*:*:*:*
cpe:2.3:a:python:python:3.15.0:alpha_4:*:*:*:*:*:*
cpe:2.3:a:python:python:3.15.0:alpha_5:*:*:*:*:*:*
cpe:2.3:a:python:python:3.15.0:alpha_6:*:*:*:*:*:*
cpe:2.3:a:python:python:3.15.0:alpha_7:*:*:*:*:*:*
cpe:2.3:a:python:python:3.15.0:alpha_8:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows
Python python
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Mon, 27 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.
Title shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Microsoft Windows
Python Cpython Python
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-05-12T13:25:02.962Z

Reserved: 2026-02-23T23:14:46.433Z

Link: CVE-2026-3087

cve-icon Vulnrichment

Updated: 2026-04-28T05:07:42.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T21:16:42.480

Modified: 2026-05-13T16:27:11.110

Link: CVE-2026-3087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:00:15Z

Weaknesses