CVE-2026-1703: pip Path Traversal vulnerability

February 2, 2026

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn’t able to inject or overwrite executable files in typical situations.

References

github.com/advisories/GHSA-6vgw-5pg2-w6jp
github.com/pypa/pip
github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
github.com/pypa/pip/pull/13777
mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ
nvd.nist.gov/vuln/detail/CVE-2026-1703

Code Behaviors & Features

Detect and mitigate CVE-2026-1703 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →