CVE-2026-3219
Confusing Installation Behavior vulnerability in pip (PyPI)
What is CVE-2026-3219 About?
This vulnerability in pip leads to confusing installation behavior by incorrectly handling concatenated tar and ZIP files as ZIP archives, regardless of their actual format or filename. This can result in the installation of incorrect or unintended files. Exploiting this issue requires crafting specific archive file formats and is relatively complex to achieve a targeted impact.
Affected Software
Technical Details
Pip's vulnerability stems from its internal logic for identifying and processing archive files. Historically, pip would prioritize treating a file as a ZIP archive if it contained ZIP metadata, even if it was a concatenated file (e.g., a tar archive with ZIP data appended, or vice versa) or had a filename suggesting a different archive type. This behavior caused pip to extract and install contents based on the ZIP format, potentially ignoring the intended tar structure or the primary file type suggested by the filename. The key mechanism is pip's imprecise archive identification, where it would proceed with installation if a file identified as both a tar and ZIP, leading to potentially ambiguous installation outcomes.
What is the Impact of CVE-2026-3219?
Successful exploitation may allow attackers to cause confusing and potentially incorrect installation behavior, leading to the installation of unintended or malicious files instead of the expected package contents.
What is the Exploitability of CVE-2026-3219?
Exploitation complexity is moderate, requiring an attacker to craft a specially formatted archive file that appears as both a tar and ZIP file. There are no authentication or privilege requirements beyond the ability to provide a package to be installed via pip. The attack is local or remote depending on how the malicious archive is supplied (e.g., through a package repository). A special condition is the necessity of creating a 'polyglot' archive that trips pip's file type detection logic. Risk factors are increased in environments where untrusted or ambiguously formatted package archives might be processed by pip, potentially leading to supply chain attacks or unexpected system alterations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-3219?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/pip/pull/13870
- http://www.openwall.com/lists/oss-security/2026/04/20/8
- https://github.com/pypa/pip/pull/13870
- https://osv.dev/vulnerability/GHSA-58qw-9mgm-455v
- https://nvd.nist.gov/vuln/detail/CVE-2026-3219
- https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/
- https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ
- https://github.com/pypa/pip
- http://www.openwall.com/lists/oss-security/2026/04/20/8
What are Similar Vulnerabilities to CVE-2026-3219?
Similar Vulnerabilities: CVE-2020-13982 , CVE-2023-25807 , CVE-2021-39139 , CVE-2020-13435 , CVE-2023-38831
