wheel Allows Arbitrary File Permission Modification via Path Traversal
Summary
| CVE | CVE-2026-24049 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-22 05:16:23 UTC |
| Updated | 2026-07-01 13:16:49 UTC |
| Description | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS: 0.003110000 probability, percentile 0.229270000 (date 2026-07-04)
Problem Types: CWE-22 | CWE-732 | CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CWE-732 CWE-732: Incorrect Permission Assignment for Critical Resource | CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
| 3.1 | ADP | CVSS | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |
| 3.1 | [email protected] | Secondary | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Wheel Project | Wheel | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:3960 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3958 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4271 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4215 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3462 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2106 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:1504 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2681 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2675 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2754 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2762 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:5119 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3782 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24049.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6562 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10184 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2090 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17599 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2865 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2694 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:1902 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2710 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:20089 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx | [email protected] | github.com | Exploit, Mitigation, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:1939 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2866 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2695 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2925 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/pypa/wheel/releases/tag/0.46.2 | [email protected] | github.com | Product, Release Notes |
| access.redhat.com/errata/RHSA-2026:3713 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6565 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6555 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2900 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:1942 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6192 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2823 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13545 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4942 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19712 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-24049 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14020 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:4185 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2139 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7250 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3461 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3959 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-01-22T05:00:54.709Z | Reported to Red Hat. |
| ADP | 2026-01-22T04:02:08.706Z | Made public. |
Solutions
ADP: RHSA-2026:2823: Discovery 2 for RHEL 10, Discovery 2 for RHEL 8, Discovery 2 for RHEL 9
ADP: RHSA-2026:3959: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9
ADP: RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9
ADP: RHSA-2026:2090: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)
ADP: RHSA-2026:2866: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)
ADP: RHSA-2026:2710: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:1939: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)
ADP: RHSA-2026:2865: Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)
ADP: RHSA-2026:1902: Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)
ADP: RHSA-2026:2900: Network Observability (NETOBSERV) 1.11.2
ADP: RHSA-2026:3461: Red Hat AI Inference Server 3.2
ADP: RHSA-2026:3462: Red Hat AI Inference Server 3.2
ADP: RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6
ADP: RHSA-2026:13545: Red Hat Ansible Automation Platform 2.6
ADP: RHSA-2026:2675: Red Hat Developer Hub 1.8
ADP: RHSA-2026:2694: Red Hat Discovery 2
ADP: RHSA-2026:10184: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:2695: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:2106: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:3782: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:19712: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:3713: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:5119: Red Hat OpenShift AI 3.4
ADP: RHSA-2026:20089: Red Hat OpenShift Container Platform 4.16
ADP: RHSA-2026:17599: Red Hat OpenShift Container Platform 4.17
ADP: RHSA-2026:6555: Red Hat OpenShift Container Platform 4.18
ADP: RHSA-2026:7250: Red Hat OpenShift Container Platform 4.19
ADP: RHSA-2026:6565: Red Hat OpenShift Container Platform 4.20
ADP: RHSA-2026:6562: Red Hat OpenShift Container Platform 4.21
ADP: RHSA-2026:6192: Red Hat OpenShift Dev Spaces 3.27
ADP: RHSA-2026:14020: Red Hat OpenStack 1.5
ADP: RHSA-2026:2762: Red Hat Quay 3.10
ADP: RHSA-2026:4942: Red Hat Quay 3.12
ADP: RHSA-2026:4185: Red Hat Quay 3.13
ADP: RHSA-2026:4215: Red Hat Quay 3.14
ADP: RHSA-2026:1942: Red Hat Quay 3.15
ADP: RHSA-2026:2681: Red Hat Quay 3.16
ADP: RHSA-2026:2754: Red Hat Quay 3.9
ADP: RHSA-2026:1504: Red Hat Satellite 6.18
ADP: RHSA-2026:2925: Red Hat Trusted Artifact Signer 1.2
ADP: RHSA-2026:4271: Red Hat Trusted Artifact Signer 1.3
ADP: RHSA-2026:2139: Red Hat Trusted Artifact Signer 1.3
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.