Description
Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious package is imported or invoked by the user.). This issue has been patched in version 2.3.3.
Published: 2026-04-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a path traversal flaw in Poetry's wheel handling. Crafting a wheel with "../" path components allows Poetry to write files outside the intended extraction directory because it does not enforce containment checks. An attacker can overwrite any file that the Poetry process can access, which could lead to tampering with configuration files, injecting malicious scripts, or otherwise compromising the environment. The flaw is flagged as CWE‑22.

Affected Systems

Poetry versions from 1.4.0 up to, but not including, 2.3.3 are affected. The issue exists whenever Poetry resolves and installs wheel packages that contain path traversal sequences. Any system running those versions and fetching packages from untrusted or compromised repositories is potentially vulnerable. Updating to 2.3.3 or later removes the containment checks and eliminates the flaw.

Risk and Exploitability

The CVSS score of 7.1 classifies the defect as high severity. EPSS information is not available, but the flaw resides in a widely used dependency manager and is publicly known. Because the attack vector relies on an untrusted wheel being introduced during normal install flows, the exploitation probability is moderate to high for environments that do not strictly control package sources. The vulnerability is not listed in CISA’s KEV catalog, but the absence of a patch in earlier versions poses a significant risk until remediation.

Generated by OpenCVE AI on April 2, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Poetry to version 2.3.3 or later (for example, by downloading the release from the Poetry GitHub page).
  • Verify that all wheel packages are obtained from trusted sources or use a repository with verified package signatures.

Generated by OpenCVE AI on April 2, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2599-h6xx-hpxp Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write
History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

threat_severity

Moderate

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Python-poetry
Python-poetry poetry
Vendors & Products Python-poetry
Python-poetry poetry

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious package is imported or invoked by the user.). This issue has been patched in version 2.3.3.
Title Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Python-poetry Poetry
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T18:12:07.813Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34591

cve-icon Vulnrichment

Updated: 2026-04-02T18:29:17.877Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T18:16:31.163

Modified: 2026-04-03T19:17:22.843

Link: CVE-2026-34591

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T17:35:07Z

Links: CVE-2026-34591 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:16Z

Weaknesses