Description
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.

pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
Published: 2026-03-18
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file access via path traversal in pkgutil.get_data()
Action: Assess
AI Analysis

Impact

pkgutil.get_data() initially did not validate its resource argument as the documentation had indicated, creating the possibility for a path traversal attack that could allow an attacker to read files outside the intended directory. The issue was later clarified by the project maintainers, who stated that the function follows the same security model as the built‑in open() and that there is no vulnerability when the function is used according to the intended model. Nonetheless, the potential impact remains the unauthorized disclosure of local files if an attacker can influence the resource parameter.

Affected Systems

The vulnerability affects the CPython implementation of Python as distributed by the Python Software Foundation. No specific versions are listed in the advisory, so any installation that uses pkgutil.get_data() without proper validation may be exposed.

Risk and Exploitability

The CVSS score of 3.3 indicates low severity, and the EPSS score of under 1 percent suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or remotely controlled code that passes an attacker‑controlled argument to pkgutil.get_data(), leading to a path traversal scenario. Because the issue hinges on improper usage of the function, the risk is limited to environments where untrusted input may be provided to the resource argument.

Generated by OpenCVE AI on April 7, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest CPython release to ensure the documentation and security model are up to date
  • Audit all uses of pkgutil.get_data() to confirm that only trusted, validated resource names are supplied
  • Refactor code to avoid passing arbitrary file paths or user input to pkgutil.get_data()
  • If code cannot be easily modified, consider replacing pkgutil.get_data() with a more explicit file access method that validates paths

Generated by OpenCVE AI on April 7, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals. DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Low

Thu, 19 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
Title pkgutil.get_data() does not enforce documented restrictions
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-07T22:01:35.724Z

Reserved: 2026-03-03T14:18:35.394Z

Link: CVE-2026-3479

cve-icon Vulnrichment

Updated: 2026-03-18T18:49:24.573Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T19:16:06.810

Modified: 2026-04-07T18:16:46.740

Link: CVE-2026-3479

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-18T18:13:42Z

Links: CVE-2026-3479 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:29Z

Weaknesses