CVE-2026-3219Unrestricted File Upload in Packaging Authority PIP

CWE-434Unrestricted File UploadCWE-1287Improper Validation of Specified Type of Input9 documents6 sources
Severity
4.6MEDIUMNVD
EPSS
0.0%
top 95.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
116
Python Packaging Authority PIPPypa PIPAnsible-automation-platform-24 Controller-rhel8+113 more
Timeline
PublishedApr 20
Latest updateApr 23

Description

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages116 packages

PyPIpypa/pip26.0.1
Red Hathi/python
Red Hatubi8/python-36
Red Hatubi8/python-39

🔴Vulnerability Details

3
VulDB
Python Packaging Authority pip up to 26.0 ZIP File2026-04-20
GHSA
GHSA-58qw-9mgm-455v: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file2026-04-20
GHSA
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files2026-04-20

📋Vendor Advisories

1
Red Hat
pip: pip: Incorrect file installation due to improper archive handling2026-04-20

💬Community

4
Bugzilla
CVE-2026-3219 python3.6: pip: Incorrect file installation due to improper archive handling [fedora-all]2026-04-23
Bugzilla
CVE-2026-3219 pypy: pip: Incorrect file installation due to improper archive handling [fedora-all]2026-04-23
Bugzilla
CVE-2026-3219 python3.15: pip: Incorrect file installation due to improper archive handling [fedora-all]2026-04-23
Bugzilla
CVE-2026-3219 pip: pip: Incorrect file installation due to improper archive handling2026-04-20