Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-04-24T17:10:33 poetry: Poetry: Path traversal vulnerability allows arbitrary file write via malicious package extraction 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H CWE-22

A flaw was found in Poetry, a dependency manager for Python. This vulnerability allows a remote attacker to perform a path traversal attack. By crafting a malicious software package, the `extractall()` function in Poetry can be tricked into writing files to unintended locations on the system. This could lead to the creation or overwrite of critical system files, potentially compromising the integrity of the system.

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat Ansible Automation Platform 2 Affected ansible-automation-platform-26/controller-rhel9 Red Hat Ansible Automation Platform 2 Affected ansible-automation-platform-26/eda-controller-rhel9 Red Hat Ansible Automation Platform 2 Affected ansible-automation-platform-26/hub-rhel9 Red Hat Ansible Automation Platform 2 Affected ansible-automation-platform-26/lightspeed-chatbot-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-kserve-agent-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-kserve-controller-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-kserve-router-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-kserve-storage-initializer-rhel9 Red Hat OpenShift Container Platform 4 Affected poetry Red Hat Satellite 6 Affected python-poetry https://www.cve.org/CVERecord?id=CVE-2026-41140 https://nvd.nist.gov/vuln/detail/CVE-2026-41140 https://github.com/python-poetry/poetry/security/advisories/GHSA-73h3-mf4w-8647