CVE-2026-41140: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in python-poetry poetry
CVE-2026-41140 is a path traversal vulnerability in python-poetry versions prior to 2. 3. 4. It affects the extractall() function used to extract source distribution tarballs, which does not properly restrict pathname extraction on certain Python versions (3. 10. 0 to 3. 10. 12 and 3. 11. 0 and above).
AI Analysis
Technical Summary
This vulnerability (CVE-2026-41140) involves improper limitation of a pathname to a restricted directory (CWE-22) in the python-poetry tool, specifically in the extractall() function. Versions of poetry prior to 2.3.4 are affected when running on certain Python versions (3.10.0 through 3.10.12 and 3.11.0 and later). The flaw allows path traversal during extraction of source distribution tarballs, potentially enabling files to be extracted outside the intended directory. The vulnerability has a low CVSS 4.0 score of 0.6 and no known active exploitation. No vendor advisory or patch information is currently available to confirm remediation status.
Potential Impact
An attacker could exploit this vulnerability to write files outside the intended extraction directory, potentially overwriting or creating files in arbitrary locations. However, the impact is rated low due to the limited attack complexity and lack of known exploits. The vulnerability requires user interaction and privileges consistent with the user running poetry. No evidence of active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should upgrade to poetry version 2.3.4 or later once available, as the vulnerability affects versions prior to 2.3.4. Until an official fix is confirmed, exercise caution when extracting untrusted source distribution tarballs with vulnerable poetry versions.
CVE-2026-41140: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in python-poetry poetry
Description
CVE-2026-41140 is a path traversal vulnerability in python-poetry versions prior to 2. 3. 4. It affects the extractall() function used to extract source distribution tarballs, which does not properly restrict pathname extraction on certain Python versions (3. 10. 0 to 3. 10. 12 and 3. 11. 0 and above).
CVSS v4.0
Score 0.6low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-41140) involves improper limitation of a pathname to a restricted directory (CWE-22) in the python-poetry tool, specifically in the extractall() function. Versions of poetry prior to 2.3.4 are affected when running on certain Python versions (3.10.0 through 3.10.12 and 3.11.0 and later). The flaw allows path traversal during extraction of source distribution tarballs, potentially enabling files to be extracted outside the intended directory. The vulnerability has a low CVSS 4.0 score of 0.6 and no known active exploitation. No vendor advisory or patch information is currently available to confirm remediation status.
Potential Impact
An attacker could exploit this vulnerability to write files outside the intended extraction directory, potentially overwriting or creating files in arbitrary locations. However, the impact is rated low due to the limited attack complexity and lack of known exploits. The vulnerability requires user interaction and privileges consistent with the user running poetry. No evidence of active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should upgrade to poetry version 2.3.4 or later once available, as the vulnerability affects versions prior to 2.3.4. Until an official fix is confirmed, exercise caution when extracting untrusted source distribution tarballs with vulnerable poetry versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T12:59:15.738Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebaa0487115cfb685ef421
Added to database: 4/24/2026, 5:36:04 PM
Last enriched: 6/4/2026, 9:17:48 PM
Last updated: 6/8/2026, 9:31:12 AM
Views: 75
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.