wheel Allows Arbitrary File Permission Modification via Path Traversal
Description
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wheelPyPI | >= 0.40.0, < 0.46.2 | 0.46.2 |
Affected products
142- osv-coords141 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-3pkg:apk/chainguard/ansible-operatorpkg:apk/chainguard/ansible-operator-fipspkg:apk/chainguard/apache-beam-python-3.11-sdkpkg:apk/chainguard/authentikpkg:apk/chainguard/authentik-fipspkg:apk/chainguard/aws-cli-2pkg:apk/chainguard/awxpkg:apk/chainguard/dask-kubernetespkg:apk/chainguard/datadog-agent-7.71pkg:apk/chainguard/datadog-agent-7.71-core-integrationspkg:apk/chainguard/datadog-agent-7.72pkg:apk/chainguard/datadog-agent-7.73pkg:apk/chainguard/datadog-agent-7.74pkg:apk/chainguard/datadog-agent-7.74-core-integrationspkg:apk/chainguard/datadog-agent-7.75-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.71pkg:apk/chainguard/datadog-agent-fips-7.71-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.72pkg:apk/chainguard/datadog-agent-fips-7.72-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.73pkg:apk/chainguard/datadog-agent-fips-7.73-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.74pkg:apk/chainguard/datadog-agent-fips-7.74-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.75-core-integrationspkg:apk/chainguard/dbt-bigquerypkg:apk/chainguard/ghidrapkg:apk/chainguard/katib-earlystoppingpkg:apk/chainguard/katib-suggestion-hyperbandpkg:apk/chainguard/katib-suggestion-hyperoptpkg:apk/chainguard/katib-suggestion-nas-dartspkg:apk/chainguard/katib-suggestion-optuna-enaspkg:apk/chainguard/katib-suggestion-pbt-enaspkg:apk/chainguard/katib-suggestion-skopt-enaspkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/kubeflow-jupyter-web-apppkg:apk/chainguard/label-studiopkg:apk/chainguard/localstackpkg:apk/chainguard/mlflowpkg:apk/chainguard/mlflow-iamguarded-compatpkg:apk/chainguard/nemopkg:apk/chainguard/opalpkg:apk/chainguard/open-webuipkg:apk/chainguard/pip-zipapppkg:apk/chainguard/py3.10-ambassadorpkg:apk/chainguard/py3.10-duplicitypkg:apk/chainguard/py3.10-setuptoolspkg:apk/chainguard/py3.10-virtualenvpkg:apk/chainguard/py3.11-ambassadorpkg:apk/chainguard/py3.11-azure-functions-workerpkg:apk/chainguard/py3.11-duplicitypkg:apk/chainguard/py3.11-setuptoolspkg:apk/chainguard/py3.11-text-generation-inferencepkg:apk/chainguard/py3.11-virtualenvpkg:apk/chainguard/py3.12-ambassadorpkg:apk/chainguard/py3.12-azure-functions-workerpkg:apk/chainguard/py3.12-duplicitypkg:apk/chainguard/py3.12-setuptoolspkg:apk/chainguard/py3.12-virtualenvpkg:apk/chainguard/py3.13-ambassadorpkg:apk/chainguard/py3.13-azure-functions-workerpkg:apk/chainguard/py3.13-duplicitypkg:apk/chainguard/py3.13-setuptoolspkg:apk/chainguard/py3.13-virtualenvpkg:apk/chainguard/py3.14-setuptoolspkg:apk/chainguard/py3.9-setuptoolspkg:apk/chainguard/py3-semgreppkg:apk/chainguard/pypy-3.10pkg:apk/chainguard/pypy-3.11pkg:apk/chainguard/request-1276pkg:apk/chainguard/spamcheckpkg:apk/chainguard/superset-5.0pkg:apk/chainguard/superset-6.0pkg:apk/chainguard/tensorflow-cpu-jupyterpkg:apk/chainguard/tensorflow-gpu-jupyterpkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/wolfi/airflow-3pkg:apk/wolfi/ansible-operatorpkg:apk/wolfi/aws-cli-2pkg:apk/wolfi/dask-kubernetespkg:apk/wolfi/datadog-agent-7.72pkg:apk/wolfi/datadog-agent-7.73pkg:apk/wolfi/datadog-agent-7.74pkg:apk/wolfi/datadog-agent-7.74-core-integrationspkg:apk/wolfi/datadog-agent-7.75-core-integrationspkg:apk/wolfi/katib-earlystoppingpkg:apk/wolfi/katib-suggestion-hyperbandpkg:apk/wolfi/katib-suggestion-hyperoptpkg:apk/wolfi/katib-suggestion-nas-dartspkg:apk/wolfi/katib-suggestion-optuna-enaspkg:apk/wolfi/katib-suggestion-pbt-enaspkg:apk/wolfi/katib-suggestion-skopt-enaspkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/kubeflow-jupyter-web-apppkg:apk/wolfi/mlflowpkg:apk/wolfi/mlflow-iamguarded-compatpkg:apk/wolfi/open-webuipkg:apk/wolfi/pip-zipapppkg:apk/wolfi/py3.10-ambassadorpkg:apk/wolfi/py3.10-setuptoolspkg:apk/wolfi/py3.10-virtualenvpkg:apk/wolfi/py3.11-ambassadorpkg:apk/wolfi/py3.11-setuptoolspkg:apk/wolfi/py3.11-virtualenvpkg:apk/wolfi/py3.12-ambassadorpkg:apk/wolfi/py3.12-setuptoolspkg:apk/wolfi/py3.12-virtualenvpkg:apk/wolfi/py3.13-ambassadorpkg:apk/wolfi/py3.13-setuptoolspkg:apk/wolfi/py3.13-virtualenvpkg:apk/wolfi/py3.14-setuptoolspkg:apk/wolfi/py3-semgreppkg:apk/wolfi/pypy-3.10pkg:apk/wolfi/pypy-3.11pkg:apk/wolfi/superset-5.0pkg:apk/wolfi/superset-6.0pkg:apk/wolfi/tensorflow-cpu-jupyterpkg:pypi/wheelpkg:rpm/almalinux/python3.12-wheelpkg:rpm/almalinux/python3.12-wheel-wheelpkg:rpm/almalinux/python3-wheelpkg:rpm/almalinux/python3-wheel-wheelpkg:rpm/opensuse/python-wheel&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-wheel&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-wheel&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python313-wheel&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/python-wheel&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.11.2-r5+ 140 more
- (no CPE)range: < 2.11.2-r5
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 1.42.0-r6
- (no CPE)range: < 1.42.0-r4
- (no CPE)range: < 2.71.0-r0
- (no CPE)range: < 2025.12.1-r2
- (no CPE)range: < 2025.12.1-r2
- (no CPE)range: < 2.33.1-r0
- (no CPE)range: < 24.6.1-r26
- (no CPE)range: < 2025.7.0-r8
- (no CPE)range: < 7.71.2-r9
- (no CPE)range: < 7.71.2-r17
- (no CPE)range: < 7.72.4-r7
- (no CPE)range: < 7.73.3-r4
- (no CPE)range: < 7.74.1-r5
- (no CPE)range: < 7.74.1-r11
- (no CPE)range: < 7.75.4-r2
- (no CPE)range: < 7.71.2-r6
- (no CPE)range: < 7.71.2-r10
- (no CPE)range: < 7.72.4-r4
- (no CPE)range: < 7.72.4-r9
- (no CPE)range: < 7.73.3-r3
- (no CPE)range: < 7.73.3-r7
- (no CPE)range: < 7.74.1-r4
- (no CPE)range: < 7.74.1-r7
- (no CPE)range: < 7.75.4-r1
- (no CPE)range: < 1.10.3-r1
- (no CPE)range: < 12.1.2-r1
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.16.0-r11
- (no CPE)range: < 1.10.0-r11
- (no CPE)range: < 1.22.0-r3
- (no CPE)range: < 4.14.0-r6
- (no CPE)range: < 3.8.1-r3
- (no CPE)range: < 3.8.1-r3
- (no CPE)range: < 2.6.1-r2
- (no CPE)range: < 0.9.3-r1
- (no CPE)range: < 0.8.3-r0
- (no CPE)range: < 26.0.1-r0
- (no CPE)range: < 3.10.0-r19
- (no CPE)range: < 3.0.7-r2
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 3.10.0-r19
- (no CPE)range: < 4.42.0-r0
- (no CPE)range: < 3.0.7-r2
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 3.3.7-r6
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 3.10.0-r19
- (no CPE)range: < 4.42.0-r0
- (no CPE)range: < 3.0.7-r2
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 3.10.0-r19
- (no CPE)range: < 4.42.0-r0
- (no CPE)range: < 3.0.7-r2
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 1.150.0-r0
- (no CPE)range: < 7.3.19-r14
- (no CPE)range: < 7.3.20-r5
- (no CPE)range: < 0.27.1-r1
- (no CPE)range: < 3.5.3-r6
- (no CPE)range: < 5.0.0-r14
- (no CPE)range: < 6.0.0-r1
- (no CPE)range: < 2.20.0-r9
- (no CPE)range: < 2.20.0-r8
- (no CPE)range: < 25.9.0_git20251112-r6
- (no CPE)range: < 3.1.6-r2
- (no CPE)range: < 1.42.0-r6
- (no CPE)range: < 2.33.1-r0
- (no CPE)range: < 2025.7.0-r8
- (no CPE)range: < 7.72.4-r7
- (no CPE)range: < 7.73.3-r4
- (no CPE)range: < 7.74.1-r5
- (no CPE)range: < 7.74.1-r11
- (no CPE)range: < 7.75.4-r2
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.19.0-r5
- (no CPE)range: < 0.16.0-r11
- (no CPE)range: < 1.10.0-r11
- (no CPE)range: < 3.8.1-r3
- (no CPE)range: < 3.8.1-r3
- (no CPE)range: < 0.8.3-r0
- (no CPE)range: < 26.0.1-r0
- (no CPE)range: < 3.10.0-r19
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 3.10.0-r19
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 3.10.0-r19
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 3.10.0-r19
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 21.5.0-r0
- (no CPE)range: < 80.10.2-r0
- (no CPE)range: < 1.150.0-r0
- (no CPE)range: < 7.3.19-r14
- (no CPE)range: < 7.3.20-r5
- (no CPE)range: < 5.0.0-r14
- (no CPE)range: < 6.0.0-r1
- (no CPE)range: < 2.20.0-r9
- (no CPE)range: >= 0.40.0, < 0.46.2
- (no CPE)range: < 0.41.2-3.el9_7.1
- (no CPE)range: < 0.41.2-3.el9_7.1
- (no CPE)range: < 1:0.41.2-5.el10_1.1
- (no CPE)range: < 1:0.41.2-5.el10_1.1
- (no CPE)range: < 0.42.0-150600.3.3.1
- (no CPE)range: < 0.45.1-160000.3.1
- (no CPE)range: < 0.46.3-1.1
- (no CPE)range: < 0.44.0-150700.3.3.1
- (no CPE)range: < 0.40.0-150400.13.10.1
- (no CPE)range: < 0.40.0-150400.13.10.1
- (no CPE)range: < 0.40.0-150400.13.10.1
- (no CPE)range: < 0.40.0-150400.13.10.1
- (no CPE)range: < 0.40.0-150400.13.10.1
- (no CPE)range: < 0.42.0-150600.3.3.1
- (no CPE)range: < 0.40.0-150400.13.10.1
- (no CPE)range: < 0.40.0-150400.13.10.1
- (no CPE)range: < 0.42.0-150600.3.3.1
- (no CPE)range: < 0.45.1-160000.3.1
- (no CPE)range: < 0.40.0-150400.13.10.1
- (no CPE)range: < 0.40.0-150400.13.10.1
- (no CPE)range: < 0.42.0-150600.3.3.1
- (no CPE)range: < 0.45.1-160000.3.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-8rrh-rw8j-w5fxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24049ghsaADVISORY
- github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fefghsax_refsource_MISCWEB
- github.com/pypa/wheel/commit/934fe177ff912c8e03d5ae951d3805e1fd90ba5eghsaWEB
- github.com/pypa/wheel/releases/tag/0.46.2ghsax_refsource_MISCWEB
- github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.