Summaryinfo

A vulnerability categorized as problematic has been discovered in beeware briefcase up to 0.3.25. Affected by this issue is some unknown functionality of the component Templates Handler. Executing a manipulation can lead to permission assignment. This vulnerability is tracked as CVE-2026-33430. The attack is restricted to local execution. No exploit exists. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in beeware briefcase up to 0.3.25. It has been declared as problematic. This vulnerability affects an unknown functionality of the component Templates Handler. The manipulation with an unknown input leads to a permission assignment vulnerability. The CWE definition for the vulnerability is CWE-732. The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.

The advisory is available at github.com. This vulnerability was named CVE-2026-33430 since 03/19/2026. The exploitation appears to be easy. Local access is required to approach this attack. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available.

Upgrading to version 0.3.26 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• beeware

Name

• briefcase

Version

• 0.3.0
• 0.3.1
• 0.3.2
• 0.3.3
• 0.3.4
• 0.3.5
• 0.3.6
• 0.3.7
• 0.3.8
• 0.3.9
• 0.3.10
• 0.3.11
• 0.3.12
• 0.3.13
• 0.3.14
• 0.3.15
• 0.3.16
• 0.3.17
• 0.3.18
• 0.3.19
• 0.3.20
• 0.3.21
• 0.3.22
• 0.3.23
• 0.3.24
• 0.3.25

Website

• Product: https://github.com/beeware/briefcase/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion