CVE-2026-32274 is a path traversal vulnerability classified under CWE-22 found in the Python code formatter Black, maintained by the Python Software Foundation (psf). Black versions prior to 26.3.1 generate cache filenames based on various formatting options, including the --python-cell-magics argument. The vulnerability stems from the failure to sanitize the value of this argument before incorporating it into the cache filename. An attacker who can control the --python-cell-magics option can craft input that traverses directories (e.g., using '../') to write cache files outside the intended restricted cache directory. This arbitrary file write capability can be leveraged to overwrite critical files, inject malicious code, or disrupt system operations. The vulnerability does not require any authentication or user interaction and can be exploited remotely if an attacker can influence the command-line arguments passed to Black. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on integrity, with no impact on confidentiality or availability. Although no known exploits are reported in the wild yet, the high severity score and ease of exploitation make this a critical issue for developers and organizations relying on Black for automated code formatting. The vulnerability was fixed in Black version 26.3.1 by properly sanitizing the --python-cell-magics input before using it in filenames, preventing directory traversal and unauthorized file writes.

The primary impact of CVE-2026-32274 is unauthorized file write capability due to path traversal, which threatens the integrity of affected systems. Attackers can overwrite or create files in arbitrary locations, potentially leading to code injection, privilege escalation, or disruption of development environments. This can compromise build pipelines, continuous integration systems, or developer workstations that use Black for formatting Python code. The vulnerability could facilitate supply chain attacks if exploited in automated environments, impacting software integrity and trust. Although confidentiality and availability impacts are minimal, the integrity breach can have cascading effects, including execution of malicious code or denial of service through corrupted files. Organizations worldwide that incorporate Black into their development workflows face risks of compromised codebases and operational disruptions. The lack of required privileges or user interaction lowers the barrier for exploitation, increasing the threat surface.

To mitigate CVE-2026-32274, organizations should immediately upgrade Black to version 26.3.1 or later, which includes the fix for proper input sanitization. Review and restrict access to systems where Black is used, especially in automated CI/CD pipelines, to prevent unauthorized manipulation of command-line arguments. Implement strict input validation and sanitization for any user-controllable parameters passed to development tools. Monitor filesystem changes in directories used by Black for caching to detect suspicious file writes or modifications. Employ application whitelisting and endpoint protection to detect and block unauthorized file operations. Educate developers and DevOps teams about the risks of unsanitized inputs in tooling and enforce secure coding and deployment practices. Regularly audit and update development dependencies to incorporate security patches promptly.