SpirityCVE

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Pypa	Wheel

No data.

References

Link	Providers
https://www.spirityenterprise.com/pentest
https://www.spirityenterprise.com/virtual-ciso
https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef
https://github.com/pypa/wheel/releases/tag/0.46.2
https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx
https://nvd.nist.gov/vuln/detail/CVE-2026-24049
https://www.cve.org/CVERecord?id=CVE-2026-24049

History

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pypa Pypa wheel
Vendors & Products		Pypa Pypa wheel

Fri, 23 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-24049 https://www.cve.org/CVERecord?id=CVE-2026-24049
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 22 Jan 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 22 Jan 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Title		wheel Allows Arbitrary File Permission Modification via Path Traversal
Weaknesses		CWE-22 CWE-732
References		https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef https://github.com/pypa/wheel/releases/tag/0.46.2 https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-22T04:02:08.706Z

Updated: 2026-01-23T17:45:05.244Z

Reserved: 2026-01-20T22:30:11.778Z

Link: CVE-2026-24049

Vulnrichment

Updated: 2026-01-22T12:24:57.994Z

NVD

Status : Received

Published: 2026-01-22T05:16:23.157

Modified: 2026-01-22T05:16:23.157

Link: CVE-2026-24049

Redhat

Severity : Important

Publid Date: 2026-01-22T04:02:08Z

Links: CVE-2026-24049 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object