Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-27T14:19:47 pip: pip: Arbitrary code execution or information disclosure via malicious wheel package installation 5.8 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CWE-94

A flaw was found in pip. Prior to version 26.1, pip's self-update check functionality would execute after installing wheel packages. This process involved importing newly installed Python modules. A malicious actor could craft a specially designed wheel package that, when installed, could lead to the execution of arbitrary code or information disclosure due to the premature import of its modules during the self-update check.

Exploit Intelligence Out of support scope exploit-intelligence-tech-preview/vulnerability-analysis-rhel9 Migration Toolkit for Applications 8 Fix deferred mta/mta-rhel9-operator Migration Toolkit for Virtualization Fix deferred migration-toolkit-virtualization/mtv-rhel9-operator Migration Toolkit for Virtualization Out of support scope mtv-candidate/mtv-rhel9-operator OpenShift Lightspeed Fix deferred openshift-lightspeed/lightspeed-service-api-rhel9 OpenShift Service Mesh 3 Fix deferred openshift-service-mesh/kiali-rhel9-operator Pen Drive Powered by Red Hat Lightspeed Fix deferred pen-drive/pen-drive-scanner-rhel9 Red Hat AI Inference Server Not affected rhaiis/model-opt-cuda-rhel9 Red Hat AI Inference Server Not affected rhaiis/vllm-cpu-rhel9 Red Hat AI Inference Server Not affected rhaiis/vllm-cuda-rhel9 Red Hat AI Inference Server Not affected rhaiis/vllm-neuron-rhel9 Red Hat AI Inference Server Not affected rhaiis/vllm-rocm-rhel9 Red Hat AI Inference Server Fix deferred rhaiis/vllm-spyre-rhel9 Red Hat AI Inference Server Fix deferred rhaiis/vllm-tpu-rhel9 Red Hat Ansible Automation Platform 2 Out of support scope ansible-automation-platform-24/controller-rhel8 Red Hat Ansible Automation Platform 2 Out of support scope ansible-automation-platform-25/controller-rhel8 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/controller-rhel9-operator Red Hat Ansible Automation Platform 2 Not affected ansible-automation-platform-26/de-minimal-rhel9 Red Hat Ansible Automation Platform 2 Not affected ansible-automation-platform-26/de-supported-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/eda-controller-rhel9-operator Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/gateway-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/gateway-rhel9-operator Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/hub-rhel9-operator Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/lightspeed-rhel9-operator Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/platform-resource-rhel9-operator Red Hat Ansible Automation Platform 2 Out of support scope ansible-automation-platform/automation-dashboard-rhel9 Red Hat Ansible Automation Platform 2 Not affected ansible-automation-platform-tech-preview/metrics-service-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-tech-preview/metrics-service-rhel9-operator Red Hat Ansible Automation Platform 2 Fix deferred automation-controller Red Hat Developer Hub Fix deferred rhdh/rhdh-hub-rhel9 Red Hat Discovery 2 Fix deferred discovery/discovery-server-rhel9 Red Hat Enterprise Linux 10 Fix deferred rhel10/python-312-minimal Red Hat Enterprise Linux 10 Fix deferred ubi10/python-312-minimal Red Hat Enterprise Linux 8 Fix deferred ubi8/python-311 Red Hat Enterprise Linux 8 Fix deferred ubi8/python-312 Red Hat Enterprise Linux 8 Fix deferred ubi8/python-36 Red Hat Enterprise Linux 8 Fix deferred ubi8/python-39 Red Hat Enterprise Linux 9 Fix deferred rhel9/python-311 Red Hat Enterprise Linux 9 Fix deferred rhel9/python-39 Red Hat Enterprise Linux 9 Fix deferred ubi9/python-311 Red Hat Enterprise Linux 9 Fix deferred ubi9/python-312 Red Hat Enterprise Linux 9 Fix deferred ubi9/python-312-minimal Red Hat Enterprise Linux 9 Fix deferred ubi9/python-39 Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected rhelai3/bootc-aws-cuda-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected rhelai3/bootc-azure-cuda-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rhelai3/bootc-azure-rocm-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rhelai3/bootc-cuda-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected rhelai3/bootc-gcp-cuda-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rhelai3/bootc-rocm-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rhelai3/disk-image-cuda-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhai/base-image-cpu-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhai/base-image-cuda-12.9-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhai/base-image-cuda-13.0-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhai/base-image-neuron-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhai/base-image-rocm-6.4-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhai/base-image-rocm-7.0-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhai/base-image-spyre-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhai/base-image-tpu-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-built-in-detector-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-caikit-nlp-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-caikit-tgis-serving-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-feature-server-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-guardrails-detector-huggingface-runtime-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-kserve-storage-initializer-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-llama-stack-core-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-ml-pipelines-runtime-generic-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-mlserver-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-modelmesh-runtime-adapter-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-model-registry-job-async-upload-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-ta-lmes-job-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-training-cuda121-torch24-py311-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-training-cuda124-torch25-py311-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-training-cuda128-torch28-py312-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-training-cuda128-torch29-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-training-rocm62-torch24-py311-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-training-rocm62-torch25-py311-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-training-rocm64-torch28-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-training-rocm64-torch29-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-trustyai-nemo-guardrails-server-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-vllm-cuda-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-vllm-rocm-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9 Red Hat OpenShift Container Platform 4 Fix deferred openshift4/ose-ansible-rhel9-operator Red Hat OpenShift Dev Spaces Fix deferred devspaces/udi-rhel9 Red Hat Quay 3 Out of support scope quay/quay-rhel8 Red Hat Quay 3 Out of support scope quay/quay-rhel9 Red Hat Satellite 6 Fix deferred satellite/foreman-mcp-server-rhel9 Red Hat Satellite 6 Fix deferred satellite/iop-advisor-backend-rhel9 Red Hat Satellite 6 Fix deferred satellite/iop-advisor-engine-rhel9 Red Hat Trusted Artifact Signer Out of support scope rhtas/model-transparency-rhel9 Red Hat Trusted Artifact Signer Out of support scope rhtas/segment-reporting-rhel9 Service Telemetry Framework 1.5 Fix deferred stf/prometheus-webhook-snmp-rhel9 Service Telemetry Framework 1.5 Fix deferred stf/service-telemetry-rhel9-operator Service Telemetry Framework 1.5 Fix deferred stf/smart-gateway-rhel9-operator https://www.cve.org/CVERecord?id=CVE-2026-6357 https://nvd.nist.gov/vuln/detail/CVE-2026-6357 https://github.com/pypa/pip/pull/13923 https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/#security-fixes