The vulnerability CVE-2026-22701 resides in the Python filelock package, specifically in the SoftFileLock implementation prior to version 3.20.3. The issue is a time-of-check to time-of-use (TOCTOU) race condition occurring in the _acquire() method. During lock acquisition, the function raise_on_not_writable_file() performs a permission check on the lock file path, followed by os.open() to create or open the lock file. Between these two operations, an attacker with local filesystem access and the ability to create symbolic links can introduce a symlink at the lock file path. This symlink can redirect the lock operation to an unintended target file, causing the lock to fail or behave unpredictably. Such behavior can lead to denial of service by preventing proper locking or can compromise the integrity of files by locking or modifying unintended files. The vulnerability requires local access with permissions to create symlinks, which limits remote exploitation but remains critical in shared or multi-tenant environments. The issue is classified under CWE-59 (Improper Link Resolution Before File Access), CWE-362 (Race Condition), and CWE-367 (Time-of-check Time-of-use Race Condition). The vulnerability has a CVSS 3.1 score of 5.3 (medium severity), reflecting its moderate impact and exploitation complexity. No known exploits are reported in the wild, and the issue has been addressed in filelock version 3.20.3.

For European organizations, the impact of this vulnerability depends largely on the deployment context of the filelock package. Organizations using Python applications that rely on filelock for concurrency control on shared filesystems or multi-user environments are at risk. Exploitation could lead to denial of service by causing lock failures, potentially disrupting critical processes that depend on file locking for data consistency. Additionally, the integrity of files could be compromised if locks are redirected to unintended files, possibly leading to data corruption or unauthorized file modifications. Sectors with high reliance on Python automation, data processing, or multi-user systems—such as finance, healthcare, and research institutions—may face operational disruptions. The requirement for local access and symlink creation permissions reduces the risk of remote exploitation but highlights the importance of internal security controls. Attackers with insider access or compromised local accounts could leverage this vulnerability to escalate impact. Overall, the vulnerability poses a moderate risk to confidentiality (none), integrity (low), and availability (high) of affected systems.

European organizations should immediately upgrade all instances of the filelock package to version 3.20.3 or later to apply the official patch. In environments where immediate upgrade is not feasible, implement strict filesystem permissions to restrict symlink creation rights to trusted users only. Employ monitoring and alerting for unusual symlink creation activities in directories where lock files reside. Use containerization or sandboxing to isolate applications using filelock, limiting the potential impact of local exploits. Conduct regular audits of Python dependencies and enforce secure coding practices to avoid TOCTOU vulnerabilities. For critical systems, consider implementing additional locking mechanisms or using alternative libraries with proven resistance to race conditions. Educate developers and system administrators about the risks of TOCTOU race conditions and the importance of timely patching. Finally, review internal access controls to minimize the number of users with local filesystem privileges that could be exploited.