Vulnerability Description
Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious package is imported or invoked by the user.). This issue has been patched in version 2.3.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python-Poetry | Poetry | >= 1.4.0, < 2.3.3 |
Related Weaknesses (CWE)
References
- http://github.com/python-poetry/poetry/commit/ed59537ac3709cfbdbf95d957de801c138Patch
- https://github.com/python-poetry/poetry/pull/10792Issue TrackingPatch
- https://github.com/python-poetry/poetry/releases/tag/2.3.3ProductRelease Notes
- https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxpExploitVendor Advisory
- https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxpExploitVendor Advisory
FAQ
What is CVE-2026-34591?
CVE-2026-34591 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary f...
How severe is CVE-2026-34591?
CVE-2026-34591 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34591?
Check the references section above for vendor advisories and patch information. Affected products include: Python-Poetry Poetry.