CVE-2026-6357
published 2026-04-27CVE-2026-6357: pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names…
medium5.3CVSS 4.0
AVLACLATPPRHUIAVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
Affected
114 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-24 | controller-rhel8 | — | — |
| ansible-automation-platform-25 | controller-rhel8 | — | — |
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | controller-rhel9-operator | — | — |
| ansible-automation-platform-26 | de-minimal-rhel9 | — | — |
| ansible-automation-platform-26 | de-supported-rhel9 | — | — |
| ansible-automation-platform-26 | eda-controller-rhel9-operator | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | gateway-rhel9-operator | — | — |
| ansible-automation-platform-26 | hub-rhel9-operator | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9-operator | — | — |
| ansible-automation-platform-26 | platform-resource-rhel9-operator | — | — |
| ansible-automation-platform-tech-preview | metrics-service-rhel9 | — | — |
| ansible-automation-platform-tech-preview | metrics-service-rhel9-operator | — | — |
| ansible-automation-platform | automation-dashboard-rhel9 | — | — |
| devspaces | udi-rhel9 | — | — |
| discovery | discovery-server-rhel9 | — | — |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| migration-toolkit-virtualization | mtv-rhel9-operator | — | — |
| mta | mta-rhel9-operator | — | — |
| mtv-candidate | mtv-rhel9-operator | — | — |
| openshift-lightspeed | lightspeed-service-api-rhel9 | — | — |
| openshift-service-mesh | kiali-rhel9-operator | — | — |
| openshift4 | ose-ansible-rhel9-operator | — | — |
| pen-drive | pen-drive-scanner-rhel9 | — | — |