Medium severityNVD Advisory· Published Apr 27, 2026· Updated Apr 27, 2026
CVE-2026-6357
CVE-2026-6357
Description
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pipPyPI | < 26.1 | 26.1 |
Affected products
94- osv-coords93 versionspkg:apk/chainguard/ansible-operatorpkg:apk/chainguard/ansible-operator-fipspkg:apk/chainguard/datadog-agent-7.71pkg:apk/chainguard/datadog-agent-7.71-core-integrationspkg:apk/chainguard/datadog-agent-7.72pkg:apk/chainguard/datadog-agent-7.72-core-integrationspkg:apk/chainguard/datadog-agent-7.73pkg:apk/chainguard/datadog-agent-7.73-core-integrationspkg:apk/chainguard/datadog-agent-7.74pkg:apk/chainguard/datadog-agent-7.74-core-integrationspkg:apk/chainguard/datadog-agent-7.75pkg:apk/chainguard/datadog-agent-7.75-core-integrationspkg:apk/chainguard/datadog-agent-7.76pkg:apk/chainguard/datadog-agent-7.76-core-integrationspkg:apk/chainguard/datadog-agent-7.77pkg:apk/chainguard/datadog-agent-7.77-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.71pkg:apk/chainguard/datadog-agent-fips-7.71-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.72pkg:apk/chainguard/datadog-agent-fips-7.72-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.73pkg:apk/chainguard/datadog-agent-fips-7.73-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.74pkg:apk/chainguard/datadog-agent-fips-7.74-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.75pkg:apk/chainguard/datadog-agent-fips-7.75-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.76pkg:apk/chainguard/datadog-agent-fips-7.76-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.77pkg:apk/chainguard/datadog-agent-fips-7.77-core-integrationspkg:apk/chainguard/graalvm-25-graalpy-venvpkg:apk/chainguard/katib-earlystoppingpkg:apk/chainguard/localstackpkg:apk/chainguard/nemopkg:apk/chainguard/py3.10-pippkg:apk/chainguard/py3.10-pip-basepkg:apk/chainguard/py3.10-virtualenvpkg:apk/chainguard/py3.11-pippkg:apk/chainguard/py3.11-pip-basepkg:apk/chainguard/py3.11-virtualenvpkg:apk/chainguard/py3.12-pippkg:apk/chainguard/py3.12-pip-basepkg:apk/chainguard/py3.12-virtualenvpkg:apk/chainguard/py3.13-pippkg:apk/chainguard/py3.13-pip-basepkg:apk/chainguard/py3.13-virtualenvpkg:apk/chainguard/py3.14-pippkg:apk/chainguard/py3.14-pip-basepkg:apk/chainguard/py3.14-virtualenvpkg:apk/chainguard/py3-hashinpkg:apk/chainguard/py3-pippkg:apk/chainguard/py3-pip-wheelpkg:apk/chainguard/pypy-3.10pkg:apk/chainguard/tensorflow-cpu-jupyterpkg:apk/chainguard/tensorflow-gpu-jupyterpkg:apk/wolfi/ansible-operatorpkg:apk/wolfi/datadog-agent-7.72pkg:apk/wolfi/datadog-agent-7.72-core-integrationspkg:apk/wolfi/datadog-agent-7.73pkg:apk/wolfi/datadog-agent-7.73-core-integrationspkg:apk/wolfi/datadog-agent-7.74pkg:apk/wolfi/datadog-agent-7.74-core-integrationspkg:apk/wolfi/datadog-agent-7.75pkg:apk/wolfi/datadog-agent-7.75-core-integrationspkg:apk/wolfi/datadog-agent-7.76pkg:apk/wolfi/datadog-agent-7.76-core-integrationspkg:apk/wolfi/datadog-agent-7.77pkg:apk/wolfi/datadog-agent-7.77-core-integrationspkg:apk/wolfi/katib-earlystoppingpkg:apk/wolfi/py3.10-pippkg:apk/wolfi/py3.10-pip-basepkg:apk/wolfi/py3.10-virtualenvpkg:apk/wolfi/py3.11-pippkg:apk/wolfi/py3.11-pip-basepkg:apk/wolfi/py3.11-virtualenvpkg:apk/wolfi/py3.12-pippkg:apk/wolfi/py3.12-pip-basepkg:apk/wolfi/py3.12-virtualenvpkg:apk/wolfi/py3.13-pippkg:apk/wolfi/py3.13-pip-basepkg:apk/wolfi/py3.13-virtualenvpkg:apk/wolfi/py3.14-pippkg:apk/wolfi/py3.14-pip-basepkg:apk/wolfi/py3.14-virtualenvpkg:apk/wolfi/py3-pippkg:apk/wolfi/py3-pip-wheelpkg:apk/wolfi/pypy-3.10pkg:apk/wolfi/tensorflow-cpu-jupyterpkg:pypi/pippkg:rpm/suse/python-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 1.42.2-r5+ 92 more
- (no CPE)range: < 1.42.2-r5
- (no CPE)range: < 1.42.2-r5
- (no CPE)range: < 7.71.2-r22
- (no CPE)range: < 7.71.2-r22
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.74.1-r15
- (no CPE)range: < 7.74.1-r15
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.71.2-r15
- (no CPE)range: < 7.71.2-r15
- (no CPE)range: < 7.72.4-r15
- (no CPE)range: < 7.72.4-r15
- (no CPE)range: < 7.73.3-r12
- (no CPE)range: < 7.73.3-r12
- (no CPE)range: < 7.74.1-r12
- (no CPE)range: < 7.74.1-r12
- (no CPE)range: < 7.75.4-r5
- (no CPE)range: < 7.75.4-r5
- (no CPE)range: < 7.76.3-r12
- (no CPE)range: < 7.76.3-r12
- (no CPE)range: < 7.77.3-r7
- (no CPE)range: < 7.77.3-r7
- (no CPE)range: < 25.0.2-r10
- (no CPE)range: < 0.19.0-r15
- (no CPE)range: < 4.14.0-r11
- (no CPE)range: < 2.7.3-r2
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 1.0.5-r5
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 7.3.19-r16
- (no CPE)range: < 2.21.0-r4
- (no CPE)range: < 2.21.0-r4
- (no CPE)range: < 1.42.2-r5
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.74.1-r15
- (no CPE)range: < 7.74.1-r15
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 0.19.0-r15
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 21.5.1-r1
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 7.3.19-r16
- (no CPE)range: < 2.21.0-r4
- (no CPE)range: < 26.1
- (no CPE)range: < 2.7.18-150000.120.1
- (no CPE)range: < 2.7.18-150000.120.1
- (no CPE)range: < 25.0.1-160000.4.1
- (no CPE)range: < 25.0.1-160000.4.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-jp4c-xjxw-mgf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-6357ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/04/27/7nvdWEB
- github.com/pypa/pip/commit/b369bfc96cc524e00c267e1693290e6599c36badghsaWEB
- github.com/pypa/pip/pull/13923nvdWEB
- ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/nvdWEB
News mentions
0No linked articles in our index yet.