Directory Traversal Vulnerability in Python Product by Python Software Foundation
CVE-2026-12003

5.3MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
16 June 2026

What is CVE-2026-12003?

This vulnerability occurs in Python installations where the VPATH variable is improperly defined, allowing low-privileged users to create a landmark file outside the intended installation directories. Specifically on Windows, this can lead to potential unauthorized access to alternative library folders because the required 'setup.local' file can be created in locations with differing permissions. To mitigate this risk, users are advised to transition to the updated Python installation manager, which maintains proper user restrictions. Future updates to Python will phase out the problematic landmark detection method to enhance overall security.

Affected Version(s)

CPython 0 < 3.15.0

References

https://github.com/python/cpython/pull/151545
patch
https://github.com/python/cpython/issues/151544
issue-tracking
https://https://mail.python.org/archives/list/security-an...
vendor-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jake Yamaki (https://github.com/b6938236)
Steve Dower (https://github.com/zooba)
.