tarfile.data_filter path traversal bypass allows writing outside the extraction directory
CVE-2026-7774

6.9MEDIUM

Key Information:

Vendor: Python Software Foundation
Status: Cpython
Vendor: CVE Published:; 4 June 2026

🔔 Create Python Software Foundation Vulnerability Alert

What is CVE-2026-7774?

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.

Affected Version(s)

CPython 0 < 3.15.0

References

https://github.com/python/cpython/pull/149487

https://github.com/python/cpython/issues/149486

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
May 4, 2026

Credit

Phùng Siêu Đạt (OPSWAT Unit 515)

Seth Larson (https://github.com/sethmlarson)

Gregory P. Smith (https://github.com/gpshead)

Petr Viktorin (https://github.com/encukou)

Stan Ulbrych (https://github.com/StanFromIreland)

CVE-2026-7774 Data

.