Medium severityNVD Advisory· Published Apr 20, 2026· Updated Apr 20, 2026
CVE-2026-3219
CVE-2026-3219
Description
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pipPyPI | < 26.1 | 26.1 |
Affected products
116- osv-coords114 versionspkg:apk/chainguard/ansible-operatorpkg:apk/chainguard/ansible-operator-fipspkg:apk/chainguard/azure-functions-host-python3.11-workerpkg:apk/chainguard/azure-functions-host-python3.12-workerpkg:apk/chainguard/azure-functions-host-python3.13-workerpkg:apk/chainguard/azureml-inference-server-httppkg:apk/chainguard/azureml-inference-server-http-fipspkg:apk/chainguard/datadog-agent-7.71pkg:apk/chainguard/datadog-agent-7.71-core-integrationspkg:apk/chainguard/datadog-agent-7.72pkg:apk/chainguard/datadog-agent-7.72-core-integrationspkg:apk/chainguard/datadog-agent-7.73pkg:apk/chainguard/datadog-agent-7.73-core-integrationspkg:apk/chainguard/datadog-agent-7.74pkg:apk/chainguard/datadog-agent-7.74-core-integrationspkg:apk/chainguard/datadog-agent-7.75pkg:apk/chainguard/datadog-agent-7.75-core-integrationspkg:apk/chainguard/datadog-agent-7.76pkg:apk/chainguard/datadog-agent-7.76-core-integrationspkg:apk/chainguard/datadog-agent-7.77pkg:apk/chainguard/datadog-agent-7.77-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.71pkg:apk/chainguard/datadog-agent-fips-7.71-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.72pkg:apk/chainguard/datadog-agent-fips-7.72-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.73pkg:apk/chainguard/datadog-agent-fips-7.73-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.74pkg:apk/chainguard/datadog-agent-fips-7.74-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.75pkg:apk/chainguard/datadog-agent-fips-7.75-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.76pkg:apk/chainguard/datadog-agent-fips-7.76-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.77pkg:apk/chainguard/datadog-agent-fips-7.77-core-integrationspkg:apk/chainguard/graalvm-25-graalpy-venvpkg:apk/chainguard/katib-earlystoppingpkg:apk/chainguard/katib-suggestion-hyperbandpkg:apk/chainguard/katib-suggestion-hyperoptpkg:apk/chainguard/katib-suggestion-nas-dartspkg:apk/chainguard/katib-suggestion-optuna-enaspkg:apk/chainguard/katib-suggestion-pbt-enaspkg:apk/chainguard/katib-suggestion-skopt-enaspkg:apk/chainguard/localstackpkg:apk/chainguard/nemopkg:apk/chainguard/py3.10-pippkg:apk/chainguard/py3.10-pip-basepkg:apk/chainguard/py3.10-virtualenvpkg:apk/chainguard/py3.11-pippkg:apk/chainguard/py3.11-pip-basepkg:apk/chainguard/py3.11-virtualenvpkg:apk/chainguard/py3.12-pippkg:apk/chainguard/py3.12-pip-basepkg:apk/chainguard/py3.12-virtualenvpkg:apk/chainguard/py3.13-pippkg:apk/chainguard/py3.13-pip-basepkg:apk/chainguard/py3.13-virtualenvpkg:apk/chainguard/py3.14-pippkg:apk/chainguard/py3.14-pip-basepkg:apk/chainguard/py3.14-virtualenvpkg:apk/chainguard/py3-hashinpkg:apk/chainguard/py3-pippkg:apk/chainguard/py3-pip-wheelpkg:apk/chainguard/py3-pip-wheel-bootstrappkg:apk/chainguard/pypy-3.10pkg:apk/chainguard/pypy-3.11pkg:apk/chainguard/tensorflow-cpu-jupyterpkg:apk/chainguard/tensorflow-gpu-jupyterpkg:apk/wolfi/ansible-operatorpkg:apk/wolfi/datadog-agent-7.72pkg:apk/wolfi/datadog-agent-7.72-core-integrationspkg:apk/wolfi/datadog-agent-7.73pkg:apk/wolfi/datadog-agent-7.73-core-integrationspkg:apk/wolfi/datadog-agent-7.74pkg:apk/wolfi/datadog-agent-7.74-core-integrationspkg:apk/wolfi/datadog-agent-7.75pkg:apk/wolfi/datadog-agent-7.75-core-integrationspkg:apk/wolfi/datadog-agent-7.76pkg:apk/wolfi/datadog-agent-7.76-core-integrationspkg:apk/wolfi/datadog-agent-7.77pkg:apk/wolfi/datadog-agent-7.77-core-integrationspkg:apk/wolfi/katib-earlystoppingpkg:apk/wolfi/katib-suggestion-hyperbandpkg:apk/wolfi/katib-suggestion-hyperoptpkg:apk/wolfi/katib-suggestion-nas-dartspkg:apk/wolfi/katib-suggestion-optuna-enaspkg:apk/wolfi/katib-suggestion-pbt-enaspkg:apk/wolfi/katib-suggestion-skopt-enaspkg:apk/wolfi/py3.10-pippkg:apk/wolfi/py3.10-pip-basepkg:apk/wolfi/py3.10-virtualenvpkg:apk/wolfi/py3.11-pippkg:apk/wolfi/py3.11-pip-basepkg:apk/wolfi/py3.11-virtualenvpkg:apk/wolfi/py3.12-pippkg:apk/wolfi/py3.12-pip-basepkg:apk/wolfi/py3.12-virtualenvpkg:apk/wolfi/py3.13-pippkg:apk/wolfi/py3.13-pip-basepkg:apk/wolfi/py3.13-virtualenvpkg:apk/wolfi/py3.14-pippkg:apk/wolfi/py3.14-pip-basepkg:apk/wolfi/py3.14-virtualenvpkg:apk/wolfi/py3-pippkg:apk/wolfi/py3-pip-wheelpkg:apk/wolfi/py3-pip-wheel-bootstrappkg:apk/wolfi/pypy-3.10pkg:apk/wolfi/pypy-3.11pkg:apk/wolfi/tensorflow-cpu-jupyterpkg:rpm/opensuse/python-pip&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 1.42.2-r5+ 113 more
- (no CPE)range: < 1.42.2-r5
- (no CPE)range: < 1.42.2-r5
- (no CPE)range: < 4.1048.200-r1
- (no CPE)range: < 4.1048.200-r1
- (no CPE)range: < 4.1048.200-r1
- (no CPE)range: < 1.5.1-r2
- (no CPE)range: < 1.5.1-r2
- (no CPE)range: < 7.71.2-r22
- (no CPE)range: < 7.71.2-r22
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.74.1-r15
- (no CPE)range: < 7.74.1-r15
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.71.2-r15
- (no CPE)range: < 7.71.2-r15
- (no CPE)range: < 7.72.4-r15
- (no CPE)range: < 7.72.4-r15
- (no CPE)range: < 7.73.3-r12
- (no CPE)range: < 7.73.3-r12
- (no CPE)range: < 7.74.1-r12
- (no CPE)range: < 7.74.1-r12
- (no CPE)range: < 7.75.4-r5
- (no CPE)range: < 7.75.4-r5
- (no CPE)range: < 7.76.3-r12
- (no CPE)range: < 7.76.3-r12
- (no CPE)range: < 7.77.3-r7
- (no CPE)range: < 7.77.3-r7
- (no CPE)range: < 25.0.2-r10
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 4.14.0-r11
- (no CPE)range: < 2.7.3-r2
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 1.0.5-r5
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1-r0
- (no CPE)range: < 7.3.19-r16
- (no CPE)range: < 7.3.22-r0
- (no CPE)range: < 2.21.0-r4
- (no CPE)range: < 2.21.0-r4
- (no CPE)range: < 1.42.2-r5
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.74.1-r15
- (no CPE)range: < 7.74.1-r15
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1-r0
- (no CPE)range: < 7.3.19-r16
- (no CPE)range: < 7.3.22-r0
- (no CPE)range: < 2.21.0-r4
- (no CPE)range: < 26.1-1.1
- (no CPE)range: < 2.7.18-150000.120.1
- (no CPE)range: < 2.7.18-150000.120.1
- (no CPE)range: < 25.0.1-160000.4.1
- (no CPE)range: < 25.0.1-160000.4.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-58qw-9mgm-455vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3219ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/04/20/8nvdWEB
- github.com/pypa/pip/issues/13867ghsaWEB
- github.com/pypa/pip/pull/13870nvdWEB
- mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJghsaWEB
- mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/nvd
News mentions
0No linked articles in our index yet.