Description
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pip versions prior to 26.1 contain a flaw where the self‑update routine runs after wheel files are installed, at which point it imports well‑known Python modules. The flaw maps to CWE‑829, which concerns the import of untrusted input, and also to CWE‑94, indicating code injection potential. If a malicious wheel is installed, the subsequent import of that wheel’s modules can execute arbitrary code during the self‑update process, potentially compromising the system on which pip runs.

Affected Systems

Python installers that use pip before version 26.1, including the official pip packages distributed by the pip maintainers, and any custom builds that bundle an older pip executable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is less than 1%, indicating a very low exploitation probability, and the vulnerability is not listed in CISA's KEV catalog, suggesting it has not yet been widely exploited. However, the required conditions – the presence of a malicious wheel file and execution of a self‑update – are achievable by a local user with package installation privileges. Consequently, the risk is moderate and mitigation through an official patch is recommended.

Generated by OpenCVE AI on May 6, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pip to version 26.1 or later to apply the fix that moves self‑update before wheel installation.
  • Use trusted package sources and verify wheel integrity before installation to avoid malicious packages.
  • Run pip commands within isolated virtual environments to restrict the scope of any unintended code execution.

Generated by OpenCVE AI on May 6, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jp4c-xjxw-mgf9 pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere
History

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Tue, 28 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Pypa
Pypa pip
Vendors & Products Pypa
Pypa pip

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-829
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
Title pip self-update functionality can import newly installed modules after wheel installation
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pypa Pip
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-27T22:17:49.582Z

Reserved: 2026-04-15T13:55:02.734Z

Link: CVE-2026-6357

cve-icon Vulnrichment

Updated: 2026-04-27T22:17:49.582Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-27T15:16:20.857

Modified: 2026-04-27T23:16:03.533

Link: CVE-2026-6357

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T14:19:47Z

Links: CVE-2026-6357 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T02:00:12Z

Weaknesses