2461604 – (CVE-2026-41140) CVE-2026-41140 poetry: Poetry: Path traversal vulnerability allows arbitrary file write via malicious package extraction

Bug 2461604 (CVE-2026-41140) - CVE-2026-41140 poetry: Poetry: Path traversal vulnerability allows arbitrary file write via malicious package extraction

Summary: CVE-2026-41140 poetry: Poetry: Path traversal vulnerability allows arbitrary ...

Keywords:
Status:	NEW
Alias:	CVE-2026-41140
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2461803
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-24 18:01 UTC by OSIDB Bzimport
Modified:	2026-04-27 15:32 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-24 18:01:45 UTC

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4. This vulnerability is fixed in 2.3.4.

Note You need to log in before you can comment on or make changes to this bug.

anthomas
dschmidt
ehelms
erezende
ggainey
jdobes
jkoehler
jlanda
juwatts
kgaikwad
kshier
lphiri
mhulan
nmoumoul
orabin
osousa
pcreech
rchan
simaishi
smallamp
smcdonal
stcannon
teagle
tmalecek
yguenane