Skip to main content
CVE Vulnerability Database

CVE-2026-3087: Python shutil Path Traversal Vulnerability

CVE-2026-3087 is a path traversal vulnerability in Python's shutil.unpack_archive() that allows ZIP archives with absolute Windows paths to extract files outside the target directory. This guide covers technical details, impact, and mitigation.

Published:

CVE-2026-3087 Overview

CVE-2026-3087 is a path traversal vulnerability affecting Python's shutil.unpack_archive() function on Windows systems. When processing a ZIP archive containing absolute Windows paths with drive letters (e.g., C:\...), the function extracts files outside the intended target directory. This behavior differs from other operating systems and creates a significant security risk for applications that process untrusted ZIP archives on Windows platforms.

Critical Impact

Attackers can craft malicious ZIP archives that extract files to arbitrary locations on Windows systems, potentially overwriting critical system files or placing malicious executables in sensitive directories.

Affected Products

  • Python (Windows installations)
  • Applications using shutil.unpack_archive() to process untrusted ZIP files on Windows
  • Python-based archive extraction utilities on Windows platforms

Discovery Timeline

  • 2026-04-27 - CVE-2026-3087 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-3087

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The root issue lies in how Python's shutil.unpack_archive() handles ZIP archive entries containing absolute Windows-style paths with drive specifications.

On non-Windows operating systems, absolute paths in ZIP archives are typically sanitized or rejected. However, on Windows, paths beginning with drive letters (such as C:\Windows\System32\) are processed differently, allowing the extraction process to write files to locations outside the intended extraction directory.

The attack surface requires network access and low privileges to exploit, though some attacker-controlled preconditions must be met for successful exploitation. The primary impact is to system integrity, as attackers can write arbitrary files to the filesystem.

Root Cause

The vulnerability stems from insufficient path validation in the shutil.unpack_archive() function when handling Windows-specific absolute paths. The function fails to properly normalize or reject paths containing drive letters before extraction, allowing the absolute path to override the target directory specification.

Standard path traversal protection mechanisms that check for ../ sequences do not account for Windows absolute paths with drive specifications, which bypass the intended extraction directory entirely.

Attack Vector

An attacker can exploit this vulnerability by crafting a malicious ZIP archive containing entries with absolute Windows paths. When a vulnerable application uses shutil.unpack_archive() to extract this archive, the files are written to the attacker-specified absolute paths rather than the intended target directory.

The attack scenario typically involves:

  1. Creating a ZIP archive with entries containing absolute Windows paths (e.g., C:\Users\Public\malicious.exe)
  2. Delivering the malicious archive to a target system through any vector (email, web upload, etc.)
  3. Waiting for or triggering the archive extraction via shutil.unpack_archive()
  4. The malicious files are written to attacker-controlled locations on the filesystem

This can lead to arbitrary file write, potentially enabling code execution through DLL hijacking, startup folder persistence, or overwriting critical system/application files.

Detection Methods for CVE-2026-3087

Indicators of Compromise

  • Unexpected files appearing in system directories or outside designated extraction paths
  • ZIP archives containing entries with Windows absolute paths (paths starting with drive letters like C:\)
  • Log entries showing file write operations to unexpected locations during archive extraction
  • Python process writing files outside the working directory when processing archives

Detection Strategies

  • Monitor Python applications for calls to shutil.unpack_archive() with untrusted input
  • Implement file integrity monitoring on critical system directories to detect unauthorized modifications
  • Analyze ZIP archives before extraction for entries containing absolute Windows paths
  • Use application logging to track extraction target directories versus actual file write locations

Monitoring Recommendations

  • Enable verbose logging for Python applications that process archive files
  • Deploy file system auditing on Windows systems to track file creation events
  • Implement network monitoring for suspicious ZIP file transfers targeting archive processing applications
  • Review application logs for path-related errors or unexpected extraction behaviors

How to Mitigate CVE-2026-3087

Immediate Actions Required

  • Update Python installations to patched versions as soon as available
  • Audit applications that use shutil.unpack_archive() to process untrusted input
  • Implement input validation to reject ZIP archives containing absolute paths before extraction
  • Consider using alternative extraction methods with explicit path validation until patches are applied

Patch Information

Python has released security patches to address this vulnerability. The fixes are tracked in the following commits:

For detailed information about the vulnerability and patch status, refer to the Python Security Announcement and the GitHub Issue Discussion.

Workarounds

  • Validate ZIP archive contents before extraction, rejecting any entries with absolute paths
  • Run archive extraction in a sandboxed environment with restricted filesystem access
  • Use alternative extraction libraries that enforce strict path validation
  • Implement a wrapper function around shutil.unpack_archive() that normalizes paths and prevents directory escape
bash
# Example: Validate ZIP contents before extraction (PowerShell)
# Check for absolute paths in ZIP archive entries
Add-Type -AssemblyName System.IO.Compression.FileSystem
$zip = [System.IO.Compression.ZipFile]::OpenRead("archive.zip")
foreach ($entry in $zip.Entries) {
    if ($entry.FullName -match "^[A-Za-z]:\\") {
        Write-Warning "Dangerous absolute path detected: $($entry.FullName)"
        # Block extraction or sanitize path
    }
}
$zip.Dispose()

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.