Vulnerability Description
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wheel Project | Wheel | >= 0.40.0, < 0.46.2 |
Related Weaknesses (CWE)
References
- https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fefPatch
- https://github.com/pypa/wheel/releases/tag/0.46.2ProductRelease Notes
- https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fxExploitMitigationVendor Advisory
FAQ
What is CVE-2026-24049?
CVE-2026-24049 is a vulnerability with a CVSS score of 7.1 (HIGH). wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mi...
How severe is CVE-2026-24049?
CVE-2026-24049 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24049?
Check the references section above for vendor advisories and patch information. Affected products include: Wheel Project Wheel.