CVE-2026-24049 — Path Traversal in Project Wheel

CWE-22 — Path Traversal CWE-732 — Incorrect Permission Assignment7 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 98.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wheel Project Wheel Debian Wheel Pypa Wheel

Timeline

PublishedJan 22

Description

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of c…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/wheel< wheel 0.46.3-1 (forky)

▶NVDwheel_project/wheel0.40.0 — 0.46.2

▶PyPIwheel_project/wheel0.40.0 — 0.46.2

▶Debianwheel_project/wheel< 0.46.3-1

▶CVEListV5pypa/wheel>= 0.40.0, < 0.46.2

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack↗2026-01-22

▶

OSV

Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack↗2026-01-22

▶

OSV

CVE-2026-24049: wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427↗2026-01-22

▶

📋Vendor Advisories

Red Hat

wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking↗2026-01-22

▶

Debian

CVE-2026-24049: wheel - wheel is a command line tool for manipulating Python wheel files, as defined in ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24049 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶