Description
pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Published: 2026-06-01
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in pip causes it to treat console_scripts and gui_scripts entry points as file paths rather than file names, and it does not sanitize the resolved absolute path to the installation directory. As a result, script wrappers can be installed outside the intended directory, allowing an attacker to overwrite arbitrary files. This path‑traversal weakness, identified as CWE‑22, can overwrite arbitrary files on the system, compromising integrity, potentially availability, and in some scenarios enabling arbitrary code execution.

Affected Systems

All installations of pip prior to the fix that includes commit 8eb178480bd1a2b223f509fc430796b265158dfb are vulnerable. The vulnerability is relevant to any system that relies on pip to install third‑party wheels from unverified or insecure sources, regardless of the underlying operating system or Python version, as long as pip is used without additional safeguards.

Risk and Exploitability

The CVSS score of 4.1 places the issue in the medium‑severity category. EPSS data is not available, so the precise likelihood of exploitation remains unknown, but the attack surface is network‑accessible through social engineering or malicious package authors. The vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed public exploitation yet. Nonetheless, the ability to overwrite critical system files and potentially trigger code execution makes the risk significant and demands prompt action.

Generated by OpenCVE AI on June 1, 2026 at 18:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pip to the latest version that includes the security fix (for example, run pip install --upgrade pip).
  • If an immediate upgrade is not feasible, restrict pip installations to isolated virtual environments, enforce read‑only permissions on system directories, and avoid executing wheels from untrusted sources.
  • Use pip’s hash‑requirement validation (--require-hashes) and limit trusted package indexes to well‑known repositories to reduce the chance of installing a malicious wheel.

Generated by OpenCVE AI on June 1, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pypa:pip:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use directory traversal or absolute paths. This allows pip to write generated script wrappers outside the intended installation directory, leading to arbitrary file overwrite. This can severely impact system integrity and availability, and in certain scenarios, may lead to arbitrary code execution. pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.
Title python-pip: Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite pip can extract console_scripts and gui_scripts outside installation directory
References
Metrics cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Thu, 28 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Pypa
Pypa pip
Vendors & Products Pypa
Pypa pip

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use directory traversal or absolute paths. This allows pip to write generated script wrappers outside the intended installation directory, leading to arbitrary file overwrite. This can severely impact system integrity and availability, and in certain scenarios, may lead to arbitrary code execution.
Title python-pip: Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite
Weaknesses CWE-22
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Subscriptions

Pypa Pip
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-06-02T12:02:53.513Z

Reserved: 2026-05-14T20:21:04.562Z

Link: CVE-2026-8643

cve-icon Vulnrichment

Updated: 2026-06-01T18:55:02.964Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T17:17:35.770

Modified: 2026-06-04T16:52:03.000

Link: CVE-2026-8643

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T17:03:36Z

Links: CVE-2026-8643 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:45:34Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')