setuptools <83 FileList Unicode normalization bypass (CVE-2026-59890)
CVE-2026-59890 Published on July 8, 2026

setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.

NVD

Vulnerability Analysis

CVE-2026-59890 is exploitable with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-59890. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Types

Improper Handling of Unicode Encoding

The software does not properly handle when an input contains Unicode encoding.

Incorrect Comparison

The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.


Products Associated with CVE-2026-59890

Want to know whenever a new CVE is published for Python Setuptools? stack.watch will email you.

 

Affected Versions

pypa setuptools Version < 83.0.0 is affected by CVE-2026-59890