CVE-2026-55830
RestrictedPython guard hooks can be shadowed via positional-only arguments
CVSS Score
8.3
EPSS Score
0.2%
EPSS Percentile
13th
RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Prior to 8.3, check_function_argument_names() rejected protected guard hook names for regular, variadic, and keyword-only arguments but omitted positional-only arguments, allowing __getattr__, _getitem_, _write_, or _print_ to be shadowed by a local parameter and bypass the embedding application's access policy. This issue is fixed in version 8.3.
| CWE | CWE-184 |
| Vendor | zopefoundation |
| Product | restrictedpython |
| Published | Jul 8, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for zopefoundation restrictedpython
Be the first to know when new high vulnerabilities affecting zopefoundation restrictedpython are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
Affected Versions
zopefoundation / RestrictedPython
< 8.3