MEDIUM 5.5

CVE-2026-8643: pip Path Traversal in Entry Point Installation

pip, Python's package installer, has a flaw in how it handles console scripts and GUI scripts during package installation. Instead of treating these as simple command names, pip resolves them to file paths without properly validating the destination. This can allow an attacker to install entry points (executable scripts) outside the intended installation directory, potentially placing malicious scripts in system paths or other sensitive locations where they could be executed with the privileges of the user running pip.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-22
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-07-07

NVD description (verbatim)

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

30 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8643 is a path traversal vulnerability (CWE-22) in pip's entry point installation logic. When processing console_scripts and gui_scripts metadata from a package, pip fails to sanitize the resolved absolute path to the installation directory. An attacker can craft a malicious package that specifies entry points with path-like names (e.g., containing directory traversal sequences or absolute paths), causing pip to install these scripts outside the intended site-packages or Scripts directory. The vulnerability requires local access and an authenticated user to trigger package installation, limiting the attack surface but enabling privilege escalation or code execution scenarios.

Business impact

Organizations relying on pip for Python package management face a supply chain risk where maliciously crafted packages could install executable scripts in unexpected locations. In shared or multi-tenant environments, this could lead to unauthorized code execution as the installing user. Development teams are particularly at risk if they install untrusted packages from non-curated sources. The impact is elevated in CI/CD pipelines and containerized deployments where pip runs with elevated privileges or in isolated environments that are subsequently trusted.

Affected systems

The vulnerability affects pypa pip across all versions that contain this flawed entry point installation logic. Systems running pip to install Python packages are at risk, particularly development workstations, CI/CD infrastructure, build servers, and container image build processes. Python versions themselves are not directly vulnerable; the issue is specific to pip's packaging and installation mechanism.

Exploitability

Exploitation requires local access (AV:L) and low complexity (AC:L), with a low privilege requirement (PR:L) — meaning a standard user can trigger the vulnerability by installing a package. No user interaction beyond running pip install is needed (UI:N). However, the attacker must first gain the ability to distribute or influence which package gets installed, either through a compromised package repository, a man-in-the-middle attack, or social engineering. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting limited evidence of active exploitation in the wild at present.

Remediation

Users should update pip to a patched version once available from the Python Packaging Authority (pypa). Verify against the official pip release notes and security advisories on github.com/pypa/pip for the specific version that addresses CVE-2026-8643. Until patching is feasible, mitigations include restricting pip installations to curated, trusted package sources; running pip in isolated environments or containers with limited filesystem permissions; and avoiding installation of packages from untrusted or unverified origins. Dependency scanning and Software Bill of Materials (SBOM) tooling should be used to identify suspicious entry point definitions in package metadata.

Patch guidance

Check the official pip release notes and the Python Packaging Authority security page for the patched version number. Apply patches to all systems where pip is used, including development machines, build servers, and container base images. Testing should focus on verifying that entry points are installed only in the intended directories (site-packages/Scripts on Windows, site-packages/bin on Unix-like systems) and that path traversal sequences in package metadata are rejected or sanitized. After patching, regenerate any container images or deployment artifacts that embed pip.

Detection guidance

Monitor pip installation logs and package metadata for suspicious entry point definitions that contain path separators, absolute paths, or traversal sequences (e.g., '../', '..\\', leading slashes). File integrity monitoring (FIM) tools should flag unexpected script installations outside the standard site-packages or Scripts directories. In CI/CD pipelines, implement policy checks that verify installed entry points reside only in whitelisted locations. Package security scanning tools can flag packages with suspicious entry point names during pre-installation analysis. Review pip's verbose output (pip install -v) to audit the resolved paths of installed scripts.

Why prioritize this

This vulnerability merits timely patching despite its MEDIUM CVSS score due to the nature of path traversal flaws in package installers. While requiring local access limits immediate blast radius, the potential to install executable code outside intended boundaries creates a reliable privilege escalation and persistence mechanism. Organizations with strict software supply chain controls should prioritize this; those using untrusted package sources should treat it as HIGH priority. The attack chain is straightforward once a malicious package is installed, and the impact on CI/CD pipelines could be severe.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects a local attack vector, low attack complexity, and low privilege requirement, but importantly captures high integrity impact (I:H) with no confidentiality or availability impact. The integrity component reflects the ability to write files (entry point scripts) to unauthorized locations. The score appropriately downgrades from critical due to the requirement for local access and user authentication; however, organizations running CI/CD or shared build infrastructure should consider this within their own risk context as functionally higher-impact.

Frequently asked questions

What is a console_script or gui_script in pip?

Entry points named console_scripts and gui_scripts are directives in a Python package's setup.py or setup.cfg that tell pip to create executable command-line tools or GUI applications on the system PATH. For example, a package might define a console_script called 'mytool' that points to a Python function; pip then creates a mytool executable in the Scripts directory (Windows) or bin directory (Unix). This vulnerability exploits how pip resolves the installation location for these entry points.

Could this affect my Python runtime or operating system?

The vulnerability is specific to pip's behavior during package installation. It does not directly affect Python itself or the OS. However, if a malicious package installs a script to a writable system directory (e.g., /usr/local/bin, C:\\Windows\\System32 on misconfigured systems), that script could run with the privileges of the user who installed the package, potentially leading to code execution. Risk is highest if pip is run with elevated privileges (sudo, Administrator).

Is this the same as a supply chain attack?

This vulnerability is a mechanism that attackers could use as part of a supply chain attack, but it is not a supply chain vulnerability in pip itself. An attacker would need to either create and distribute a malicious package, compromise an existing package on a repository, or intercept package downloads. The CVE-2026-8643 flaw then allows that malicious package to install entry points outside the sandbox, amplifying the impact. Defense-in-depth includes verifying package sources, reviewing package contents, and keeping pip patched.

What should I do right now if I can't patch immediately?

Implement restrictive pip configurations: use --target to install packages into isolated directories, run pip with limited filesystem permissions, and restrict installations to internal or verified package mirrors. Audit recent pip installations for unexpected entry points using 'pip show -f <package>' to list installed files. In CI/CD, use container build policies to reject packages with suspicious metadata. Monitor for unauthorized scripts in system paths. These mitigations reduce risk until patches are deployed.

This analysis is provided for informational purposes and reflects the vulnerability details as of the published date. Patch availability, vendor advisories, and exploitation status may change; consult official sources including the Python Packaging Authority and your vendor's security bulletins for current remediation guidance. Organizations should validate all technical recommendations in their own environment before deployment. SEC.co does not provide legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).