CVE Tools

CVE-2026-24049

wheel Allows Arbitrary File Permission Modification via Path Traversal

Published: Jan 22, 2026Updated: Feb 18, 2026 Sources: CVE List NVD GHSA BDUCWE-22

No Known Exploits

Patch Available

Description

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

CVSS Vector Breakdown

Exploitability

AV:LAttack Vector

Local

AC:LAttack Complexity

Low

PR:NPrivileges Required

None

UI:RUser Interaction

Required

Scope

S:UScope

Unchanged

Impact

C:NConfidentiality

None

I:HIntegrity

High

A:HAvailability

High

Open in CVSS calculator →

Weaknesses

Affected Products

РЕД ОС ООО «Ред Софт»

On-premOS

Operating Systems / linux-distro

Wheel Python Software Foundation OSS Libraries

Library

OSS Libraries / pypi

wheel PyPI OSS Libraries

wheel wheel project

Mixed

Web & CMS Plugins / cms-core

ооо «ред софт»commercialRUOperating Systemsaka red soft

python software foundationoss-projectUSOSS Librariesaka python software foundation, psf

pypaoss-projectOSS Librariesaka pip, pipenv, pypa/setuptools

pypipackage-ecosystemOSS Libraries

wheel project Web & CMS Pluginsaka wheel

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

Workaround Available

MITRE ATT&CK

3 techniques

Collection

Discovery

Privilege Escalation

View detailed technique mapping

References

https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx

https://redos.red-soft.ru/search/?iblock_id=24&q=CVE-2026-24049

redos.red-soft.ru

https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx

and 5 more references View all →

Timeline

Published

Jan 22, 2026

Last Updated

Feb 18, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-24049 and every CVE in our database. Create a free account — no credit card required.

Create Free Account

Plain-language analysis

Impact assessment and exploitation scenario in plain English

Attack graph visualization

Interactive attack path and kill chain mapping

Exploit details & PoC links

ExploitDB, Metasploit, GitHub PoCs with direct links

Nuclei scanner templates

Ready-to-use vulnerability scanner templates

Full remediation guide

Patch instructions, workarounds, and compliance impact

Interactive AI chat

Ask questions about this vulnerability in natural language

Related vulnerabilities

Semantically similar CVEs and attack patterns

REST API & MCP access

Integrate vulnerability data into your workflows