Plattform
python
Komponente
black
Behoben in
26.3.2
26.3.1
CVE-2026-32274 describes an Arbitrary File Access vulnerability discovered in Black, a Python code formatter. This vulnerability allows an attacker to write cache files to arbitrary locations on the file system by manipulating the --python-cell-magics option. Versions of Black prior to 26.3.1 are affected. A fix has been released in version 26.3.1.
The primary impact of CVE-2026-32274 is the potential for arbitrary file writes. An attacker who can control the value passed to the --python-cell-magics option can dictate the location where Black stores its cache files. This could lead to overwriting critical system files, injecting malicious code, or gaining unauthorized access to sensitive data. The ability to write to arbitrary locations significantly expands the attack surface, potentially allowing for privilege escalation or remote code execution depending on the targeted file and system configuration. While the direct impact is file write, the consequences can be severe.
CVE-2026-32274 was publicly disclosed on 2026-03-12. Currently, there are no known public proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. The probability of exploitation is considered low due to the need for direct control over the --python-cell-magics option, which is typically not exposed to untrusted user input in standard usage scenarios.
Developers and DevOps teams using Black in automated pipelines or CI/CD systems are particularly at risk. Environments where Black is integrated with third-party tools or services that provide untrusted input to the --python-cell-magics option are also vulnerable. Shared hosting environments where multiple users have access to the Black command-line interface should be carefully reviewed.
• python / code formatting:
Get-Process -Name Black | Select-Object -ExpandProperty Path• python / code formatting: Check for unusual cache files in unexpected locations (e.g., /etc/passwd.black_cache).
• python / code formatting: Monitor command-line arguments passed to Black for suspicious paths or characters in the --python-cell-magics option.
• python / code formatting: Review Black configuration files for any hardcoded or default values for --python-cell-magics that could be exploited.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-32274 is to upgrade to Black version 26.3.1 or later, which contains the fix. If upgrading is not immediately feasible, a workaround involves strictly controlling the input provided to the --python-cell-magics option. This means ensuring that only trusted sources provide values for this option, preventing attackers from injecting malicious filenames. Consider implementing input validation and sanitization to further reduce the risk. After upgrading, verify the fix by attempting to trigger the vulnerability with a controlled, malicious --python-cell-magics value; the cache file should not be written to the specified location.
Actualice Black a la versión 26.3.1 o superior. Esto corrige la vulnerabilidad que permite la escritura arbitraria de archivos debido a la falta de sanitización en la opción --python-cell-magics.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32274 is a HIGH severity vulnerability in Black versions ≤26.3.0 that allows attackers to write cache files to arbitrary locations due to unsanitized input to the --python-cell-magics option.
You are affected if you are using Black versions 26.3.0 or earlier and the --python-cell-magics option is exposed to untrusted input.
Upgrade to Black version 26.3.1 or later. As a temporary workaround, restrict user input to the --python-cell-magics option.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation makes it a potential target.
Refer to the Black project's official release notes and security advisories for details: [https://black.readthedocs.io/en/stable/](https://black.readthedocs.io/en/stable/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.