CVE-2026-8643

high Red Hat
CVSS v3 Base Score
8.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Published: May 27, 2026 (43 days ago)
Last Modified: May 27, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use directory traversal or absolute paths. This allows pip to write generated script wrappers outside the intended installation directory, leading to arbitrary file overwrite. This can severely impact system integrity and availability, and in certain scenarios, may lead to arbitrary code execution.

CWE

CWE-22

Affected Products

Exploit IntelligenceMigration Toolkit for Applications 8Migration Toolkit for VirtualizationOpenShift LightspeedOpenShift Service Mesh 3Pen Drive Powered by Red Hat LightspeedRed Hat AI Inference ServerRed Hat Ansible Automation Platform 2Red Hat Developer HubRed Hat Discovery 2

References