CVE-2026-24049
Published: 22 January 2026
Summary
CVE-2026-24049 is a high-severity Path Traversal (CWE-22) vulnerability in Wheel Project Wheel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-24049 affects the wheel command line tool for manipulating Python wheel files as defined in PEP 427. In versions 0.40.0 through 0.46.2, the unpack function mishandles file permissions after extraction by blindly trusting the filename from the archive header during the chmod operation, even if the extraction process has sanitized the path. This vulnerability, associated with CWE-22 (path traversal) and CWE-732 (incorrect permission assignment), has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).
A local attacker with no privileges can exploit this by crafting a malicious wheel file that, when unpacked by a user, modifies permissions on critical system files such as /etc/passwd, SSH keys, or configuration files. This enables privilege escalation or arbitrary code execution by making scripts writable and executable, requiring user interaction to trigger the unpack operation.
The issue has been addressed in wheel version 0.46.2, as detailed in the project's security advisory (GHSA-8rrh-rw8j-w5fx), release notes, and the fixing commit (7a7d2de96b22a9adf9208afcc9547e1001569fef). Security practitioners should upgrade to 0.46.2 or later and audit wheel usage in Python environments to prevent unpacking untrusted wheel files.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4133
Vulnerability details
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly…
more
trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables unauthorized chmod on critical files (e.g. /etc/passwd) via malicious wheel unpack, mapping to permission modification (T1222.002) and resulting privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation and sanitization of untrusted filenames and permission metadata extracted from wheel archives before any chmod operation.
Ensures the wheel unpack process runs with only the minimum privileges required, preventing modification of permissions on critical system files even if path data is trusted.
Restricts the ability to change file permissions or ownership on protected system paths, blocking the chmod abuse that results from the flawed unpack logic.