All vulnerabilities

CVE-2026-6357

pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

Description

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Score
5.3
Severity
Medium
Ecosystem
Python
Publish Date
April 27, 2026
Modified Date
May 7, 2026
Score Vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Versions