File Handling Vulnerability in pip by PyPa
CVE-2026-3219

4.6MEDIUM

Key Information:

Vendor: Python Packaging Authority
Status: Pip
Vendor: CVE Published:; 20 April 2026

🔔 Create Python Packaging Authority Vulnerability Alert

What is CVE-2026-3219?

The pip package manager, developed by PyPa, exhibits a vulnerability where it treats concatenated tar and ZIP files solely as ZIP files, disregarding their actual file type. This misprocessing can lead to unexpected and confusing behavior during installation, potentially resulting in the installation of incorrect files based on the archive's name. The updated behavior in the latest patch ensures that installations proceed only when the file distinctly identifies as either a valid ZIP or tar archive.

Affected Version(s)

pip 0 < 26.1

References

https://github.com/pypa/pip/pull/13870

patch

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Feb 25, 2026

CVE-2026-3219 Data

JSON