CVE-2026-3479 - Vulnerability Details

- pkgutil.get_data() does not enforce documented restrictions

Description

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.

pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Published: 2026-03-18

Score: 0 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists because pkgutil.get_data() does not enforce the documented restrictions on its resource argument, exposing the function to path traversal attacks. This weakness (CWE-22) allows an attacker to read arbitrary files that are accessible to the Python process. The impact is local file disclosure, potentially revealing sensitive configuration or system files used by the Python application.

Affected Systems

The affected product is CPython, provided by the Python Software Foundation. No specific version range is listed in the data, indicating that the issue may affect any distribution that includes the unpatched pkgutil implementation. Users should consider whether they are running a CPython version that includes the fix from pull request 146122.

Risk and Exploitability

The CVSS score is 2.1, classifying the vulnerability as low severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting limited exploitation potential. The likely attack vector is local: an attacker with the ability to execute or control a Python program can invoke pkgutil.get_data() with a crafted resource argument to read unintended files. No public exploit is known.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Python Software Foundation

CPython

unaffected

Version	Status	Constraints
`0`	affected	< 3.13.13
`3.14.0`	affected	< 3.14.4
`3.15.0a1`	affected	< 3.15.0a8

No data.

Vendor Product Confidence Versions

Python

Cpython

95%

Version	Status	Scheme	Platform
`[0,3.15.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade CPython to the latest stable release that incorporates the fix from pull request 146122.
If an upgrade is not immediately possible, apply the patch from pull request 146122 to the CPython source to enforce validation of the resource argument.

Generated by OpenCVE AI on March 18, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00007.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe
https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7
https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943
https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c
https://github.com/python/cpython/issues/146121
https://github.com/python/cpython/pull/146122
https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/
https://nvd.nist.gov/vuln/detail/CVE-2026-3479
https://www.cve.org/CVERecord?id=CVE-2026-3479

History

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943 https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description	pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.	DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
Metrics	cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`	cvssV4_0 `{'score': 0, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Fri, 20 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3479 https://www.cve.org/CVERecord?id=CVE-2026-3479
Metrics	threat_severity `None`	cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}` threat_severity `Low`

Thu, 19 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7

Thu, 19 Mar 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python Python cpython
Vendors & Products		Python Python cpython

Wed, 18 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-22
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
Title		pkgutil.get_data() does not enforce documented restrictions
References		https://github.com/python/cpython/issues/146121 https://github.com/python/cpython/pull/146122 https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/
Metrics		cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Python Cpython

MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2026-03-18T18:13:42.288Z

Updated: 2026-04-07T22:01:35.724Z

Reserved: 2026-03-03T14:18:35.394Z

Link: CVE-2026-3479

Vulnrichment

Updated: 2026-03-18T18:49:24.573Z

NVD

Status : Awaiting Analysis

Published: 2026-03-18T19:16:06.810

Modified: 2026-04-07T18:16:46.740

Link: CVE-2026-3479

Redhat

Severity : Low

Publid Date: 2026-03-18T18:13:42Z

Links: CVE-2026-3479 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-25T11:52:28Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object