Symlink Vulnerability in Python's tarfile Module
CVE-2026-11940

7.8HIGH

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
23 June 2026

What is CVE-2026-11940?

A vulnerability in Python's tarfile module allows attackers to craft archives that exploit how hardlinks and symlinks are managed during extraction. By manipulating the symlink's archiving and resulting extraction paths, a malicious user can create symlinks that point to locations outside of the designated extraction directory. This loophole could lead to unauthorized file reads or writes, posing significant risks to applications relying on this module for handling tar archives. This issue represents an incomplete resolution of a previously identified vulnerability.

Affected Version(s)

CPython 0 < 3.16.0

References

https://github.com/python/cpython/pull/151559
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory
https://github.com/python/cpython/issues/151558
issue-tracking

CVSS V4

Score:
7.8
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Haruki Oyama (https://github.com/harukioya)
Stan Ulbrych (https://github.com/StanFromIreland)
Petr Viktorin (https://github.com/encukou)
.