Description
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Allows execution of arbitrary, untrusted code during pip self‑update by importing newly installed modules
Action: Immediate Patch
AI Analysis

Impact

Pip versions prior to 26.1 contain a flaw where the self‑update routine runs after wheel files are installed, at which point it imports well‑known Python modules. The flaw relies on CWE‑829, which concerns the import of untrusted input. If a malicious wheel is installed, the subsequent import of that wheel’s modules can execute arbitrary code during the self‑update process, potentially compromising the system on which pip runs.

Affected Systems

Python installers that use pip before version 26.1, including the official pip packages distributed by the pip maintainers, and any custom builds that bundle an older pip executable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score data is available, and the vulnerability is not listed in CISA's KEV catalog, suggesting it has not yet been widely exploited. However, the required conditions – the presence of a malicious wheel file and execution of a self‑update – are achievable by a local user with package installation privileges. Consequently, the risk is moderate and mitigation through an official patch is recommended.

Generated by OpenCVE AI on April 28, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pip to version 26.1 or later to apply the fix that moves self‑update before wheel installation.
  • Use trusted package sources and verify wheel integrity before installation to avoid malicious packages.
  • Run pip commands within isolated virtual environments to restrict the scope of any unintended code execution.

Generated by OpenCVE AI on April 28, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Pypa
Pypa pip
Vendors & Products Pypa
Pypa pip

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-829
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
Title pip self-update functionality can import newly installed modules after wheel installation
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pypa Pip
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-27T22:17:49.582Z

Reserved: 2026-04-15T13:55:02.734Z

Link: CVE-2026-6357

cve-icon Vulnrichment

Updated: 2026-04-27T22:17:49.582Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-27T15:16:20.857

Modified: 2026-04-27T23:16:03.533

Link: CVE-2026-6357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:30:21Z

Weaknesses