[oss-security][CVE-2026-6357] pip self-update functionality can import newly installed modules after wheel installation

[Alan Coopersmith <alan.coopersmith () oracle com>]

-------- Forwarded Message --------
Subject: 	[Security-announce][CVE-2026-6357] pip self-update functionality can 
import newly installed modules after wheel installation
Date:   Mon, 27 Apr 2026 14:20:59 +0000
From:   Seth Larson <seth () python org>
Reply-To:       security-sig () python org
To:     security-announce () python org



There is a MEDIUM severity vulnerability affecting the pip project.

pip prior to version 26.1 would run self-update check functionality after 
installing wheel files which required importing well-known Python modules names. 
These module imports were intentionally deferred to increase startup time of the 
pip CLI. The patch changes self-update functionality to run before wheels are 
installed to prevent newly-installed modules from being imported shortly after 
the installation of a wheel package. Users should still review package contents 
prior to installation.

Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-6357
* https://github.com/pypa/pip/pull/13923

_______________________________________________
Security-announce mailing list -- security-announce () python org
To unsubscribe send an email to security-announce-leave () python org
https://mail.python.org/mailman3//lists/security-announce.python.org