Bug 2452326 - CVE-2026-25645 python-pip: Requests: Security bypass due to predictable temporary file creation [fedora-all]
Summary: CVE-2026-25645 python-pip: Requests: Security bypass due to predictable tempo...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: python-pip
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Python Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["814f2bbf-bee2-4a7c-84ac-4...
Depends On:
Blocks: CVE-2026-25645
TreeView+ depends on / blocked
 
Reported: 2026-03-27 16:23 UTC by Jon Moroney
Modified: 2026-05-20 14:03 UTC (History)
6 users (show)

Fixed In Version: python-pip-26.1.1-3.fc45
Clone Of:
Environment:
Last Closed: 2026-05-20 13:41:51 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jon Moroney 2026-03-27 16:23:01 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Miro Hrončok 2026-04-29 12:09:18 UTC
This is 4.7 CVSS v3 Score. We will likely update pip in rawhide and let it remain unfixed in older Fedoras.

Comment 2 Lumír Balhar 2026-05-20 13:41:51 UTC
This has been fixed in requests 2.33.0, and now, we have pip 26.1.1 in rawhide that bundles requests 2.33.1.

https://bodhi.fedoraproject.org/updates/FEDORA-2026-a68b46ff2a


Note You need to log in before you can comment on or make changes to this bug.