๐Ÿ” CVE Alert

CVE-2026-24049

HIGH 7.1

wheel Allows Arbitrary File Permission Modification via Path Traversal

CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
0th

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

CWE CWE-22 CWE-732
Vendor pypa
Product wheel
Published Jan 22, 2026
Last Updated Jun 30, 2026
Stay Ahead of the Next One

Get instant alerts for pypa wheel

Be the first to know when new high vulnerabilities affecting pypa wheel are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Affected Versions

pypa / wheel
>= 0.40.0, < 0.46.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx github.com: https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef github.com: https://github.com/pypa/wheel/releases/tag/0.46.2 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-24049 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2431959 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24049.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2823 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3959 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3958 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2090 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2866 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2710 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1939 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2865 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1902 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2900 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3461 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3462 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3960 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:13545 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2675 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2694 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:10184 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2695 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2106 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3782 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:19712 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3713 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:5119 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:20089 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:17599 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:6555 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:7250 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:6565 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:6562 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:6192 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:14020 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:4942 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:4185 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:4215 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1942 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2681 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2762 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2754 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1504 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2925 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:4271 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2139