CVE-2026-34591 — Path Traversal in Poetry

CWE-22 — Path Traversal9 documents7 sources

Severity

7.1HIGHNVD

EPSS

0.0%

top 88.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python-poetry Poetry Debian Poetry Msrc Azl3 Poetry 1.8.3-1 ON Azure Linux 3.0

Timeline

PublishedApr 2

Latest updateApr 3

Description

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious packa…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶NVDpython-poetry/poetry1.4.0 — 2.3.3

▶PyPIpython-poetry/poetry1.4.0 — 2.3.3

▶CVEListV5python-poetry/poetry>= 1.4.0, < 2.3.3

▶debiandebian/poetry

▶msrcmsrc/azl3_poetry_1.8.3-1_on_azure_linux_3.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-34591: (Poetry is a dependency manager for Python↗2026-04-03

▶

OSV

CVE-2026-34591: Poetry is a dependency manager for Python↗2026-04-02

▶

OSV

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write↗2026-04-01

▶

GHSA

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write↗2026-04-01

▶

📋Vendor Advisories

Red Hat

github.com/python-poetry/poetry: Poetry: Arbitrary file write via crafted package installation↗2026-04-02

▶

Microsoft

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write↗2026-04-02

▶

Debian

CVE-2026-34591: poetry - Poetry is a dependency manager for Python. From version 1.4.0 to before version ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-34591 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶