oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[oss-security][CVE-2026-5271] Python install manager script aliases search path hijack

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 1 Apr 2026 14:41:47 -0700



-------- Forwarded Message --------
Subject: [Security-announce][CVE-2026-5271] Python install manager script aliases search path hijack 
Date: Wed, 1 Apr 2026 18:07:40 +0100
From: Steve Dower <steve.dower () python org>
Reply-To: security-sig () python org
To: security-announce () python org

There is a MEDIUM severity vulnerability affecting the Python install manager.
Script alias entrypoints (e.g. pip.exe) generated by version 26.0 of the Python install manager were very likely to have an empty search path, leading to modules in the current working directory being able to override the intended module and execute code as the user. 

Version 26.1 is fixed. Versions prior to 26.0 are not impacted.
After installing the updated version, run "py install --refresh" to regenerate existing aliases. 

Please see the linked CVE ID for the latest information on
affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-5271
* https://github.com/python/pymanager/pull/301
_______________________________________________
Security-announce mailing list -- security-announce () python org
To unsubscribe send an email to security-announce-leave () python org
https://mail.python.org/mailman3//lists/security-announce.python.org
Previous By Date Next
Previous By Thread Next

Current thread: