LOWCVE-2026-1703CVSS 2.5

CVE-2026-1703: Path Traversal in pip 9.0.3 and Below

Q: How do I fix CVE-2026-1703 in pip?

Upgrade pip to version 26.0 or later using `pip install --upgrade pip==26.0`.

Platform

python

Component

pip

Fixed in

26.0

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-1703 describes a Path Traversal vulnerability discovered in pip, the Python package installer. This vulnerability allows attackers to extract files outside the intended installation directory when installing a maliciously crafted wheel archive. Versions of pip affected are those equal to or below 9.0.3. The vulnerability is mitigated by upgrading to pip version 26.0.

Impact and Attack Scenarios

The core of the vulnerability lies in pip's handling of wheel archives during installation. A malicious wheel file can contain directory traversal sequences that, when extracted, place files in unexpected locations. While the traversal is limited to prefixes of the installation directory, this can still lead to sensitive information disclosure. An attacker could potentially extract configuration files, source code, or other data that shouldn't be publicly accessible. Although direct code execution is unlikely due to the limited traversal scope, the potential for data exfiltration represents a significant risk, particularly in environments where pip is used to install packages from untrusted sources.

Exploitation Context

CVE-2026-1703 was published on February 2, 2026. Severity is rated as LOW. No public exploits or proof-of-concept code have been identified at the time of writing. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog, and EPSS score is pending evaluation. Organizations should prioritize patching to prevent potential future exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Reports1 threat report

EPSS

0.02% (6% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

Affected Software

Componentpip

Vendorosv

Affected rangeFixed in

0 – 26.026.0

—26.0

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2026-01-30
Published2026-02-02
Modified2026-03-24
EPSS updated2026-03-23

Patched -2 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-1703 is to upgrade pip to version 26.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing stricter wheel source verification. This could involve using a trusted package repository or verifying the integrity of wheel files using checksums before installation. Employing a virtual environment for package installations can also help isolate the impact of a compromised wheel. Reviewing and restricting the sources from which pip is allowed to download packages is a crucial preventative measure.

How to fix

Actualice pip a la versión 26.0 o superior. Esto se puede hacer ejecutando `pip install --upgrade pip`. Asegúrese de que el entorno de Python donde se ejecuta pip esté actualizado también.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-1703 — Path Traversal in pip?

CVE-2026-1703 is a vulnerability in pip versions up to 9.0.3 that allows attackers to extract files outside the intended installation directory when installing malicious wheel archives.

Am I affected by CVE-2026-1703 in pip?

You are affected if you are using pip version 9.0.3 or earlier. Check your pip version using pip --version.

How do I fix CVE-2026-1703 in pip?

Upgrade pip to version 26.0 or later using pip install --upgrade pip==26.0.

Is CVE-2026-1703 being actively exploited?

Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-1703.

Where can I find the official pip advisory for CVE-2026-1703?

Refer to the pip project's security advisories and the Python Security Announcements for official information: https://pip.pypa.io/en/stable/security/