pypa wheel up to 0.46.1 File path traversal

Summaryinfo

A vulnerability was found in pypa wheel up to 0.46.1. It has been rated as critical. Affected by this vulnerability is an unknown functionality of the component File Handler. This manipulation causes path traversal. This vulnerability is registered as CVE-2026-24049. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability has been found in pypa wheel up to 0.46.1 and classified as critical. Affected by this vulnerability is an unknown function of the component File Handler. The manipulation with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect integrity, and availability. The summary by CVE is:

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

The advisory is shared at github.com. This vulnerability is known as CVE-2026-24049 since 01/20/2026. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1006 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 297496 (Fedora 43 : python-wheel (2026-ce64e86fd8)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 0.46.2 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 7a7d2de96b22a9adf9208afcc9547e1001569fef is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (297496) and CERT Bund (WID-SEC-2026-0302). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Affected

• Red Hat Enterprise Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• RESF Rocky Linux

Productinfo

Vendor

• pypa

Name

• wheel

Version

• 0.46.0
• 0.46.1

License

• open-source

Website

• Product: https://github.com/pypa/wheel/

CPE 2.3info

• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion