CVE-2026-24049: Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack
(updated )
- Vulnerability Type: Path Traversal (CWE-22) leading to Arbitrary File Permission Modification.
- Root Cause Component: wheel.cli.unpack.unpack function.
- Affected Packages:
- wheel (Upstream source)
- setuptools (Downstream, vendors wheel)
- Severity: High (Allows modifying system file permissions).
References
- github.com/advisories/GHSA-8rrh-rw8j-w5fx
- github.com/pypa/wheel
- github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef
- github.com/pypa/wheel/commit/934fe177ff912c8e03d5ae951d3805e1fd90ba5e
- github.com/pypa/wheel/releases/tag/0.46.2
- github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx
- nvd.nist.gov/vuln/detail/CVE-2026-24049
Code Behaviors & Features
Detect and mitigate CVE-2026-24049 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →