๐Ÿ” CVE Alert

CVE-2026-55830

HIGH 8.3

RestrictedPython guard hooks can be shadowed via positional-only arguments

CVSS Score
8.3
EPSS Score
0.2%
EPSS Percentile
13th

RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Prior to 8.3, check_function_argument_names() rejected protected guard hook names for regular, variadic, and keyword-only arguments but omitted positional-only arguments, allowing __getattr__, _getitem_, _write_, or _print_ to be shadowed by a local parameter and bypass the embedding application's access policy. This issue is fixed in version 8.3.

CWE CWE-184
Vendor zopefoundation
Product restrictedpython
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for zopefoundation restrictedpython

Be the first to know when new high vulnerabilities affecting zopefoundation restrictedpython are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Affected Versions

zopefoundation / RestrictedPython
< 8.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-ffg3-p8fm-mjx2 github.com: https://github.com/zopefoundation/RestrictedPython/commit/3737596ec9f28c34a073cc845bd2f4c0a80cb671