Description
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Published: 2026-04-20
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: Confusing Package Installation due to Misidentified Archives
Action: Assess Impact
AI Analysis

Impact

pip treats concatenated tar and ZIP archives as ZIP regardless of the filename or whether the file is simultaneously a tar and ZIP archive. This misclassification can cause installing incorrect or unintended files, leading to confusing or incorrect package behavior.

Affected Systems

The vulnerability affects the Python Packaging Authority’s pip tool. No specific version information is provided, so all unpatched pip releases prior to the fix are potentially affected.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate impact. The vulnerability is not listed in CISA KEV. The likely attack vector requires an attacker to provide a malicious archive to pip during installation, which could result in malformed or unwanted files being installed but does not directly lead to arbitrary code execution. The risk remains moderate and should be mitigated by updating pip to a version that handles concatenated archives correctly.

Generated by OpenCVE AI on April 20, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pip to the latest version, which correctly handles concatenated ZIP and tar archives.
  • Before installing from untrusted sources, verify the archive type using a dedicated file inspection tool or check the file signature to ensure it is a valid ZIP or tar archive.
  • Monitor CVE advisories and pip security announcements for additional updates or workarounds.

Generated by OpenCVE AI on April 20, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-749

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-749

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Title pip doesn't reject concatenated ZIP and tar archives
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-20T20:15:23.710Z

Reserved: 2026-02-25T17:50:26.456Z

Link: CVE-2026-3219

cve-icon Vulnrichment

Updated: 2026-04-20T20:15:23.710Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T16:16:45.430

Modified: 2026-04-20T21:16:36.420

Link: CVE-2026-3219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses