CVE-2026-3087: Python shutil Path Traversal Vulnerability

CVE-2026-3087 Overview

CVE-2026-3087 is a path traversal vulnerability affecting Python's shutil.unpack_archive() function on Windows systems. When processing a ZIP archive containing absolute Windows paths with drive letters (e.g., C:\...), the function extracts files outside the intended target directory. This behavior differs from other operating systems and creates a significant security risk for applications that process untrusted ZIP archives on Windows platforms.

Critical Impact
Attackers can craft malicious ZIP archives that extract files to arbitrary locations on Windows systems, potentially overwriting critical system files or placing malicious executables in sensitive directories.

Affected Products

Python (Windows installations)
Applications using shutil.unpack_archive() to process untrusted ZIP files on Windows
Python-based archive extraction utilities on Windows platforms

Discovery Timeline

2026-04-27 - CVE-2026-3087 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-3087

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The root issue lies in how Python's shutil.unpack_archive() handles ZIP archive entries containing absolute Windows-style paths with drive specifications.

On non-Windows operating systems, absolute paths in ZIP archives are typically sanitized or rejected. However, on Windows, paths beginning with drive letters (such as C:\Windows\System32\) are processed differently, allowing the extraction process to write files to locations outside the intended extraction directory.

The attack surface requires network access and low privileges to exploit, though some attacker-controlled preconditions must be met for successful exploitation. The primary impact is to system integrity, as attackers can write arbitrary files to the filesystem.

Root Cause

The vulnerability stems from insufficient path validation in the shutil.unpack_archive() function when handling Windows-specific absolute paths. The function fails to properly normalize or reject paths containing drive letters before extraction, allowing the absolute path to override the target directory specification.

Standard path traversal protection mechanisms that check for ../ sequences do not account for Windows absolute paths with drive specifications, which bypass the intended extraction directory entirely.

Attack Vector

An attacker can exploit this vulnerability by crafting a malicious ZIP archive containing entries with absolute Windows paths. When a vulnerable application uses shutil.unpack_archive() to extract this archive, the files are written to the attacker-specified absolute paths rather than the intended target directory.

The attack scenario typically involves:

Creating a ZIP archive with entries containing absolute Windows paths (e.g., C:\Users\Public\malicious.exe)
Delivering the malicious archive to a target system through any vector (email, web upload, etc.)
Waiting for or triggering the archive extraction via shutil.unpack_archive()
The malicious files are written to attacker-controlled locations on the filesystem

This can lead to arbitrary file write, potentially enabling code execution through DLL hijacking, startup folder persistence, or overwriting critical system/application files.

Detection Methods for CVE-2026-3087

Indicators of Compromise

Unexpected files appearing in system directories or outside designated extraction paths
ZIP archives containing entries with Windows absolute paths (paths starting with drive letters like C:\)
Log entries showing file write operations to unexpected locations during archive extraction
Python process writing files outside the working directory when processing archives

Detection Strategies

Monitor Python applications for calls to shutil.unpack_archive() with untrusted input
Implement file integrity monitoring on critical system directories to detect unauthorized modifications
Analyze ZIP archives before extraction for entries containing absolute Windows paths
Use application logging to track extraction target directories versus actual file write locations

Monitoring Recommendations

Enable verbose logging for Python applications that process archive files
Deploy file system auditing on Windows systems to track file creation events
Implement network monitoring for suspicious ZIP file transfers targeting archive processing applications
Review application logs for path-related errors or unexpected extraction behaviors

How to Mitigate CVE-2026-3087

Immediate Actions Required

Update Python installations to patched versions as soon as available
Audit applications that use shutil.unpack_archive() to process untrusted input
Implement input validation to reject ZIP archives containing absolute paths before extraction
Consider using alternative extraction methods with explicit path validation until patches are applied

Patch Information

Python has released security patches to address this vulnerability. The fixes are tracked in the following commits:

For detailed information about the vulnerability and patch status, refer to the Python Security Announcement and the GitHub Issue Discussion.

Workarounds

Validate ZIP archive contents before extraction, rejecting any entries with absolute paths
Run archive extraction in a sandboxed environment with restricted filesystem access
Use alternative extraction libraries that enforce strict path validation
Implement a wrapper function around shutil.unpack_archive() that normalizes paths and prevents directory escape

bash

# Example: Validate ZIP contents before extraction (PowerShell)
# Check for absolute paths in ZIP archive entries
Add-Type -AssemblyName System.IO.Compression.FileSystem
$zip = [System.IO.Compression.ZipFile]::OpenRead("archive.zip")
foreach ($entry in $zip.Entries) {
    if ($entry.FullName -match "^[A-Za-z]:\\") {
        Write-Warning "Dangerous absolute path detected: $($entry.FullName)"
        # Block extraction or sanitize path
    }
}
$zip.Dispose()

CVE-2026-3087 Overview

Critical Impact
Attackers can craft malicious ZIP archives that extract files to arbitrary locations on Windows systems, potentially overwriting critical system files or placing malicious executables in sensitive directories.

Affected Products

Python (Windows installations)
Applications using shutil.unpack_archive() to process untrusted ZIP files on Windows
Python-based archive extraction utilities on Windows platforms

Discovery Timeline

2026-04-27 - CVE-2026-3087 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-3087

Vulnerability Analysis

Root Cause

Attack Vector

The attack scenario typically involves:

Creating a ZIP archive with entries containing absolute Windows paths (e.g., C:\Users\Public\malicious.exe)
Delivering the malicious archive to a target system through any vector (email, web upload, etc.)
Waiting for or triggering the archive extraction via shutil.unpack_archive()
The malicious files are written to attacker-controlled locations on the filesystem

This can lead to arbitrary file write, potentially enabling code execution through DLL hijacking, startup folder persistence, or overwriting critical system/application files.

Detection Methods for CVE-2026-3087

Indicators of Compromise

Unexpected files appearing in system directories or outside designated extraction paths
ZIP archives containing entries with Windows absolute paths (paths starting with drive letters like C:\)
Log entries showing file write operations to unexpected locations during archive extraction
Python process writing files outside the working directory when processing archives

Detection Strategies

Monitor Python applications for calls to shutil.unpack_archive() with untrusted input
Implement file integrity monitoring on critical system directories to detect unauthorized modifications
Analyze ZIP archives before extraction for entries containing absolute Windows paths
Use application logging to track extraction target directories versus actual file write locations

Monitoring Recommendations

Enable verbose logging for Python applications that process archive files
Deploy file system auditing on Windows systems to track file creation events
Implement network monitoring for suspicious ZIP file transfers targeting archive processing applications
Review application logs for path-related errors or unexpected extraction behaviors

How to Mitigate CVE-2026-3087

Immediate Actions Required

Update Python installations to patched versions as soon as available
Audit applications that use shutil.unpack_archive() to process untrusted input
Implement input validation to reject ZIP archives containing absolute paths before extraction
Consider using alternative extraction methods with explicit path validation until patches are applied

Patch Information

Python has released security patches to address this vulnerability. The fixes are tracked in the following commits:

For detailed information about the vulnerability and patch status, refer to the Python Security Announcement and the GitHub Issue Discussion.

Workarounds

Validate ZIP archive contents before extraction, rejecting any entries with absolute paths
Run archive extraction in a sandboxed environment with restricted filesystem access
Use alternative extraction libraries that enforce strict path validation
Implement a wrapper function around shutil.unpack_archive() that normalizes paths and prevents directory escape

bash

# Example: Validate ZIP contents before extraction (PowerShell)
# Check for absolute paths in ZIP archive entries
Add-Type -AssemblyName System.IO.Compression.FileSystem
$zip = [System.IO.Compression.ZipFile]::OpenRead("archive.zip")
foreach ($entry in $zip.Entries) {
    if ($entry.FullName -match "^[A-Za-z]:\\") {
        Write-Warning "Dangerous absolute path detected: $($entry.FullName)"
        # Block extraction or sanitize path
    }
}
$zip.Dispose()

CVE-2026-3087: Python shutil Path Traversal Vulnerability

CVE-2026-3087 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-3087

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-3087

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-3087

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-3087: Python shutil Path Traversal Vulnerability

CVE-2026-3087 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-3087

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-3087

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-3087

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform