{"id":"UBUNTU-CVE-2026-1703","details":"When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.","modified":"2026-02-04T20:59:15.590975Z","published":"2026-02-02T15:16:00Z","upstream":["CVE-2026-1703"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-1703"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-1703"},{"type":"REPORT","url":"https://github.com/pypa/pip/pull/13777"},{"type":"REPORT","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/"},{"type":"REPORT","url":"https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735"}],"affected":[{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/python-pip@1.5.4-1ubuntu4+esm5?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4.1-2","1.5.4-1","1.5.4-1ubuntu1","1.5.4-1ubuntu3","1.5.4-1ubuntu4","1.5.4-1ubuntu4+esm1","1.5.4-1ubuntu4+esm2","1.5.4-1ubuntu4+esm3","1.5.4-1ubuntu4+esm4","1.5.4-1ubuntu4+esm5"],"ecosystem_specific":{"binaries":[{"binary_version":"1.5.4-1ubuntu4+esm5","binary_name":"python-pip"},{"binary_version":"1.5.4-1ubuntu4+esm5","binary_name":"python-pip-whl"},{"binary_version":"1.5.4-1ubuntu4+esm5","binary_name":"python3-pip"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/python-pip@8.1.1-2ubuntu0.6+esm12?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.6-7ubuntu1","1.5.6-7ubuntu2","8.0.2-7","8.0.3-1","8.0.3-2","8.1.0-1","8.1.0-2","8.1.1-1","8.1.1-2","8.1.1-2ubuntu0.1","8.1.1-2ubuntu0.2","8.1.1-2ubuntu0.4","8.1.1-2ubuntu0.6","8.1.1-2ubuntu0.6+esm2","8.1.1-2ubuntu0.6+esm3","8.1.1-2ubuntu0.6+esm4","8.1.1-2ubuntu0.6+esm5","8.1.1-2ubuntu0.6+esm6","8.1.1-2ubuntu0.6+esm8","8.1.1-2ubuntu0.6+esm10","8.1.1-2ubuntu0.6+esm11","8.1.1-2ubuntu0.6+esm12"],"ecosystem_specific":{"binaries":[{"binary_version":"8.1.1-2ubuntu0.6+esm12","binary_name":"python-pip"},{"binary_version":"8.1.1-2ubuntu0.6+esm12","binary_name":"python-pip-whl"},{"binary_version":"8.1.1-2ubuntu0.6+esm12","binary_name":"python3-pip"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/python-pip@9.0.1-2.3~ubuntu1.18.04.8+esm8?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.0.1-2","9.0.1-2.3~ubuntu1","9.0.1-2.3~ubuntu1.18.04.1","9.0.1-2.3~ubuntu1.18.04.2","9.0.1-2.3~ubuntu1.18.04.3","9.0.1-2.3~ubuntu1.18.04.4","9.0.1-2.3~ubuntu1.18.04.5","9.0.1-2.3~ubuntu1.18.04.5+esm2","9.0.1-2.3~ubuntu1.18.04.5+esm3","9.0.1-2.3~ubuntu1.18.04.6","9.0.1-2.3~ubuntu1.18.04.6+esm1","9.0.1-2.3~ubuntu1.18.04.7","9.0.1-2.3~ubuntu1.18.04.7+esm1","9.0.1-2.3~ubuntu1.18.04.8","9.0.1-2.3~ubuntu1.18.04.8+esm1","9.0.1-2.3~ubuntu1.18.04.8+esm2","9.0.1-2.3~ubuntu1.18.04.8+esm4","9.0.1-2.3~ubuntu1.18.04.8+esm6","9.0.1-2.3~ubuntu1.18.04.8+esm7","9.0.1-2.3~ubuntu1.18.04.8+esm8"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.1-2.3~ubuntu1.18.04.8+esm8","binary_name":"python-pip"},{"binary_version":"9.0.1-2.3~ubuntu1.18.04.8+esm8","binary_name":"python-pip-whl"},{"binary_version":"9.0.1-2.3~ubuntu1.18.04.8+esm8","binary_name":"python3-pip"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/python-pip@20.0.2-5ubuntu1.11+esm4?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["18.1-5","18.1-5build1","18.1-5ubuntu1","20.0.2-2","20.0.2-4","20.0.2-5","20.0.2-5ubuntu1","20.0.2-5ubuntu1.1","20.0.2-5ubuntu1.3","20.0.2-5ubuntu1.4","20.0.2-5ubuntu1.5","20.0.2-5ubuntu1.6","20.0.2-5ubuntu1.7","20.0.2-5ubuntu1.8","20.0.2-5ubuntu1.9","20.0.2-5ubuntu1.10","20.0.2-5ubuntu1.10+esm2","20.0.2-5ubuntu1.11","20.0.2-5ubuntu1.11+esm2","20.0.2-5ubuntu1.11+esm3","20.0.2-5ubuntu1.11+esm4"],"ecosystem_specific":{"binaries":[{"binary_version":"20.0.2-5ubuntu1.11+esm4","binary_name":"python-pip-whl"},{"binary_version":"20.0.2-5ubuntu1.11+esm4","binary_name":"python3-pip"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/python-pip@22.0.2+dfsg-1ubuntu0.7?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["20.3.4-4","21.3.1+dfsg-3","22.0.2+dfsg-1","22.0.2+dfsg-1ubuntu0.1","22.0.2+dfsg-1ubuntu0.2","22.0.2+dfsg-1ubuntu0.3","22.0.2+dfsg-1ubuntu0.4","22.0.2+dfsg-1ubuntu0.5","22.0.2+dfsg-1ubuntu0.6","22.0.2+dfsg-1ubuntu0.7"],"ecosystem_specific":{"binaries":[{"binary_version":"22.0.2+dfsg-1ubuntu0.7","binary_name":"python3-pip"},{"binary_version":"22.0.2+dfsg-1ubuntu0.7","binary_name":"python3-pip-whl"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/python-pip@24.0+dfsg-1ubuntu1.3?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["23.2+dfsg-1","23.3+dfsg-1","24.0+dfsg-1","24.0+dfsg-1ubuntu1","24.0+dfsg-1ubuntu1.1","24.0+dfsg-1ubuntu1.2","24.0+dfsg-1ubuntu1.3"],"ecosystem_specific":{"binaries":[{"binary_version":"24.0+dfsg-1ubuntu1.3","binary_name":"python3-pip"},{"binary_version":"24.0+dfsg-1ubuntu1.3","binary_name":"python3-pip-whl"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/python-pip@25.1.1+dfsg-1ubuntu2?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["25.0+dfsg-1","25.1.1+dfsg-1","25.1.1+dfsg-1ubuntu1","25.1.1+dfsg-1ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_version":"25.1.1+dfsg-1ubuntu2","binary_name":"python3-pip"},{"binary_version":"25.1.1+dfsg-1ubuntu2","binary_name":"python3-pip-whl"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-1703.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}]}