Vulnerability Description
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Virtualenv | Virtualenv | < 20.36.1 |
Related Weaknesses (CWE)
References
- https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cePatch
- https://github.com/pypa/virtualenv/pull/3013Issue TrackingPatch
- https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986MitigationPatchVendor Advisory
FAQ
What is CVE-2026-22702?
CVE-2026-22702 is a vulnerability with a CVSS score of 4.5 (MEDIUM). virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform syml...
How severe is CVE-2026-22702?
CVE-2026-22702 has been rated MEDIUM with a CVSS base score of 4.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-22702?
Check the references section above for vendor advisories and patch information. Affected products include: Virtualenv Virtualenv.