{
  "threat_severity" : "Important",
  "public_date" : "2026-04-24T17:10:33Z",
  "bugzilla" : {
    "description" : "poetry: Poetry: Path traversal vulnerability allows arbitrary file write via malicious package extraction",
    "id" : "2461604",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461604"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-22",
  "details" : [ "A flaw was found in Poetry, a dependency manager for Python. This vulnerability allows a remote attacker to perform a path traversal attack. By crafting a malicious software package, the `extractall()` function in Poetry can be tricked into writing files to unintended locations on the system. This could lead to the creation or overwrite of critical system files, potentially compromising the integrity of the system." ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-26/controller-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-26/eda-controller-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-26/hub-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-26/lightspeed-chatbot-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-agent-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-controller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-router-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-storage-initializer-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "poetry",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "python-poetry",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41140\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41140\nhttps://github.com/python-poetry/poetry/security/advisories/GHSA-73h3-mf4w-8647" ],
  "name" : "CVE-2026-41140",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}