Black: Arbitrary file writes from unsanitized user input in cache file name
Summary
| CVE | CVE-2026-32274 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-12 20:16:06 UTC |
| Updated | 2026-06-30 03:18:30 UTC |
| Description | Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1. |
Risk And Classification
Primary CVSS: v4.0 8.7 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.005720000 probability, percentile 0.430770000 (date 2026-07-02)
Problem Types: CWE-22 | CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Psf | Black | affected < 26.3.1 | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.5 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 2.25 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform Ansible Core 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Virtualization 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-32274 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13553 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/psf/black/releases/tag/26.3.1 | [email protected] | github.com | Release Notes |
| github.com/psf/black/pull/5038 | [email protected] | github.com | Issue Tracking, Patch |
| access.redhat.com/errata/RHSA-2026:10184 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d | [email protected] | github.com | Patch |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32274.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m | [email protected] | github.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:13545 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-12T20:01:22.957Z | Reported to Red Hat. |
| ADP | 2026-03-12T19:47:07.464Z | Made public. |
Solutions
ADP: RHSA-2026:13553: Red Hat Ansible Automation Platform 2.5
ADP: RHSA-2026:13545: Red Hat Ansible Automation Platform 2.6
ADP: RHSA-2026:10184: Red Hat OpenShift AI 2.25
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.