CVE-2026-3219: pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files

April 20, 2026 (updated April 24, 2026)

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing “incorrect” files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

References

github.com/advisories/GHSA-58qw-9mgm-455v
github.com/pypa/pip
github.com/pypa/pip/pull/13870
mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ
nvd.nist.gov/vuln/detail/CVE-2026-3219

Code Behaviors & Features

Detect and mitigate CVE-2026-3219 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →