CVE-2026-34591 Overview
CVE-2026-34591 is a Path Traversal vulnerability affecting Poetry, a popular dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel package can contain ../ sequences in file paths that Poetry writes to disk without proper containment checks. This allows an attacker to achieve arbitrary file write with the privileges of the Poetry process during normal package installation flows.
The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. While installing a malicious wheel is not sufficient for immediate code execution, the arbitrary file write capability can lead to subsequent code execution if the malicious package is later imported or invoked by the user.
Critical Impact
Arbitrary file write via crafted wheel packages can overwrite critical system files or inject malicious code into the user's environment, potentially leading to full system compromise when the malicious package is imported.
Affected Products
- Poetry versions 1.4.0 through 2.3.2
- Python projects using vulnerable Poetry versions for dependency management
- CI/CD pipelines and build systems utilizing affected Poetry versions
Discovery Timeline
- 2026-04-02 - CVE-2026-34591 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34591
Vulnerability Analysis
This Path Traversal vulnerability exists in Poetry's wheel installer component, specifically within the src/poetry/installation/wheel_installer.py file. The root cause is insufficient validation of file paths contained within wheel packages before writing them to disk.
Python wheel files (.whl) are ZIP archives containing the package files to be installed. A malicious actor can craft a wheel with directory traversal sequences (../) embedded in the archived file paths. When Poetry processes such a wheel during installation, it directly concatenates the target scheme directory with the path from the wheel archive without verifying that the resulting path remains within the intended installation directory.
The attack requires user interaction—specifically, the user must install a malicious package. This typically occurs through dependency confusion attacks, typosquatting on PyPI, or compromised package sources. The network attack vector enables remote exploitation through malicious packages hosted on public or private package repositories.
Root Cause
The vulnerable code directly concatenated the scheme directory path with the path extracted from the wheel archive without resolving or validating the final destination. The expression Path(self.scheme_dict[scheme]) / path allowed path components containing ../ to escape the intended installation directory, enabling writes to arbitrary locations accessible by the Poetry process.
Attack Vector
An attacker can exploit this vulnerability by:
- Creating a malicious Python wheel package containing files with ../ path traversal sequences
- Publishing the malicious package to PyPI or a private package index (potentially via typosquatting or dependency confusion)
- Waiting for a victim to install the package using a vulnerable Poetry version
- The malicious wheel writes files outside the intended package directory during installation
The attack could overwrite configuration files, inject code into other installed packages, or place executable scripts in sensitive locations.
from installer.utils import copyfileobj_with_hashing
from installer.utils import make_file_executable
- target_path = Path(self.scheme_dict[scheme]) / path
+ target_dir = Path(self.scheme_dict[scheme]).resolve()
+ target_path = (target_dir / path).resolve()
+
+ if not target_path.is_relative_to(target_dir):
+ raise ValueError(
+ f"Attempting to write {path} outside of the target directory"
+ )
+
if target_path.exists():
# Contrary to the base library we don't raise an error here since it can
# break pkgutil-style and pkg_resource-style namespace packages.
Source: GitHub Commit ed59537ac37
The patch resolves the vulnerability by first resolving the target directory to an absolute path using .resolve(), then resolving the full target path, and finally checking that the resolved path remains relative to the target directory using is_relative_to(). If the path escapes the target directory, a ValueError is raised, preventing the file write.
Detection Methods for CVE-2026-34591
Indicators of Compromise
- Presence of files in unexpected locations following package installations
- Unusual file modification timestamps on system files or configuration files
- Wheel packages containing ../ sequences in their archived file paths
- Poetry installation logs showing file operations outside expected site-packages directories
Detection Strategies
- Monitor file system activity during Poetry install operations for writes outside standard installation directories
- Implement package integrity verification by comparing installed file paths against expected locations
- Use static analysis tools to scan wheel packages for path traversal sequences before installation
- Enable verbose logging in CI/CD pipelines to capture suspicious installation behavior
Monitoring Recommendations
- Configure file integrity monitoring (FIM) on critical directories that could be targeted by path traversal attacks
- Monitor Python virtual environment directories for unexpected file additions or modifications
- Implement network monitoring to detect downloads of suspicious packages from package repositories
- Review Poetry installation logs regularly for error messages or unusual path operations
How to Mitigate CVE-2026-34591
Immediate Actions Required
- Upgrade Poetry to version 2.3.3 or later immediately using pip install --upgrade poetry or pipx upgrade poetry
- Audit recently installed packages and verify file integrity in affected environments
- Review dependency sources and ensure packages are obtained from trusted repositories
- Implement package allowlisting or private package indexes for sensitive environments
Patch Information
The vulnerability has been patched in Poetry version 2.3.3. The fix implements proper path resolution and validation to ensure wheel contents cannot escape the intended installation directory. For detailed information about the security fix, see the GitHub Security Advisory GHSA-2599-h6xx-hpxp and the GitHub Release 2.3.3.
Workarounds
- Use virtual environments to isolate installations and limit the impact of potential exploitation
- Implement strict package source policies, only allowing packages from verified sources
- Run Poetry with reduced privileges to limit the scope of potential file writes
- Use container-based build environments to isolate package installation from the host system
# Upgrade Poetry to the patched version
pip install poetry==2.3.3
# Or using pipx
pipx upgrade poetry
# Verify the installed version
poetry --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
