CVE-2026-41140 — Path Traversal in Poetry

CWE-22 — Path Traversal6 documents5 sources

Severity

0.6LOWNVD

EPSS

0.1%

top 80.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python-poetry Poetry Ansible-automation-platform-26 Controller-rhel9 Ansible-automation-platform-26 Eda-controller-rhel9 +6 more

Timeline

PublishedApr 24

Latest updateApr 25

Description

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4. This vulnerability is fixed in 2.3.4.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages11 packages

▶CVEListV5python-poetry/poetry< 2.3.4

▶PyPIpython-poetry/poetry< 2.3.4

▶Red Hatpython-poetry/poetry

▶Red Hatrhoai/odh-kserve-agent-rhel9

▶Red Hatrhoai/odh-kserve-router-rhel9

🔴Vulnerability Details

VulDB

python-poetry up to 2.3.3 helpers.py extractall path traversal (GHSA-73h3-mf4w-8647)↗2026-04-24

▶

GHSA

Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4↗2026-04-22

▶

📋Vendor Advisories

Red Hat

poetry: python: Poetry: Path traversal vulnerability allows arbitrary file write via malicious package extraction↗2026-04-24

▶

💬Community

Bugzilla

CVE-2026-41140 poetry: Poetry: Path traversal vulnerability allows arbitrary file write via malicious package extraction [fedora-all]↗2026-04-25

▶

Bugzilla

CVE-2026-41140 poetry: python: Poetry: Path traversal vulnerability allows arbitrary file write via malicious package extraction↗2026-04-24

▶