Self-update Vulnerability in pip Affects Python Packaging
CVE-2026-6357

5.3MEDIUM

Key Information:

Vendor: Pip Maintainers
Status: Pip
Vendor: CVE Published:; 27 April 2026

🔔 Create Pip Maintainers Vulnerability Alert

What is CVE-2026-6357?

The vulnerability in pip prior to version 26.1 allows for an improper execution of self-update checks after the installation of wheel files. This flaw arises due to the deferred importation of certain Python modules, implemented to enhance the startup time of the pip command-line interface. The patch effectively restructures this process, ensuring that self-update functionality executes before wheel installations. Users are advised to scrutinize package contents thoroughly before installation to mitigate potential risks.

Affected Version(s)

pip 0 < 26.1

References

https://github.com/pypa/pip/pull/13923

patch

https://ichard26.github.io/blog/2026/04/whats-new-in-pip-...

vendor-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Damian Shaw

Richard Si

Seth Larson

CVE-2026-6357 Data

JSON