CVE-2026-32274 is a path traversal vulnerability classified under CWE-22 affecting the Python code formatter Black, maintained by the Python Software Foundation (psf). In versions prior to 26.3.1, Black generates cache files whose filenames are computed from various formatting options, including the --python-cell-magics argument. The vulnerability stems from the lack of sanitization of the --python-cell-magics option value before it is incorporated into the cache filename. An attacker who can control this argument can manipulate the filename to include path traversal sequences (e.g., '../'), enabling the creation or overwriting of cache files at arbitrary locations on the filesystem. This can lead to unauthorized file writes outside the intended cache directory, potentially overwriting critical files or planting malicious files. The vulnerability can be exploited remotely without authentication or user interaction, as Black is often used in automated environments. The CVSS 4.0 base score is 8.7 (high severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and high impact on integrity due to arbitrary file writes. The issue was addressed in Black version 26.3.1 by properly sanitizing the --python-cell-magics input before using it in filenames. No public exploits have been reported yet, but the vulnerability poses a significant risk to development environments, CI/CD pipelines, and any automated systems invoking Black with untrusted or user-controlled input.

The primary impact of CVE-2026-32274 is unauthorized file write capability on systems running vulnerable versions of Black. This can lead to integrity violations by overwriting or creating arbitrary files, potentially enabling further attacks such as code execution, privilege escalation, or disruption of development workflows. In automated build or deployment pipelines, an attacker could leverage this to inject malicious files or disrupt operations. Since Black is widely used in Python development environments globally, the vulnerability could affect a broad range of organizations, including software companies, cloud service providers, and enterprises relying on Python for automation. The lack of authentication and user interaction requirements increases the risk of remote exploitation, especially in environments where Black is exposed to untrusted inputs. Although no exploits are currently known in the wild, the vulnerability's characteristics suggest it could be weaponized by attackers targeting software supply chains or development infrastructure.

To mitigate CVE-2026-32274, organizations should immediately upgrade Black to version 26.3.1 or later, where the vulnerability is fixed. Additionally, review and restrict the sources of input for the --python-cell-magics option to trusted users or processes only. Implement input validation and sanitization controls in any automation scripts or CI/CD pipelines invoking Black to prevent untrusted input from reaching the formatter. Employ filesystem permissions and sandboxing to limit the impact of any unauthorized file writes, ensuring that Black runs with the least privileges necessary. Monitor logs and filesystem changes for unusual cache file creation or modification patterns. For environments where immediate upgrade is not feasible, consider disabling or restricting the use of the --python-cell-magics option. Finally, maintain awareness of updates from the Python Software Foundation and security advisories related to Black and related tooling.