{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3479", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-03-03T14:18:35.394Z", "datePublished": "2026-03-18T18:13:42.288Z", "dateUpdated": "2026-04-07T22:01:35.724Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["pkgutil"], "product": "CPython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.13.13", "status": "affected", "versionType": "python"}, {"version": "3.14.0", "lessThan": "3.14.4", "status": "affected", "versionType": "python"}, {"version": "3.15.0a1", "lessThan": "3.15.0a8", "status": "affected", "versionType": "python"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.</p><p>pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.</p>"}], "value": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.\n\npkgutil.get_data() did not validate the resource argument as documented, allowing path traversals."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "baseScore": 0, "baseSeverity": "NONE", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-04-07T22:01:35.724Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/pull/146122"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/146121"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c"}], "source": {"discovery": "UNKNOWN"}, "tags": ["disputed"], "title": "pkgutil.get_data() does not enforce documented restrictions", "x_generator": {"engine": "Vulnogram 0.6.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T18:50:20.603616Z", "id": "CVE-2026-3479", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:50:41.609Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3479", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T18:50:20.603616Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:49:24.573Z"}}], "cna": {"tags": ["disputed"], "title": "pkgutil.get_data() does not enforce documented restrictions", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 0, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Python Software Foundation", "modules": ["pkgutil"], "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.13.13", "versionType": "python"}, {"status": "affected", "version": "3.14.0", "lessThan": "3.14.4", "versionType": "python"}, {"status": "affected", "version": "3.15.0a1", "lessThan": "3.15.0a8", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/pull/146122", "tags": ["patch"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/issues/146121", "tags": ["issue-tracking"]}, {"url": "https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.6.0"}, "descriptions": [{"lang": "en", "value": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.\n\npkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.", "supportingMedia": [{"type": "text/html", "value": "<p>DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.</p><p>pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.</p>", "base64": false}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-04-07T22:01:35.724Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3479", "state": "PUBLISHED", "dateUpdated": "2026-04-07T22:01:35.724Z", "dateReserved": "2026-03-03T14:18:35.394Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-03-18T18:13:42.288Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "cna@python.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.\n\npkgutil.get_data() did not validate the resource argument as documented, allowing path traversals."}, {"lang": "es", "value": "pkgutil.get_data() no valid\u00f3 el argumento de recurso como se document\u00f3, permitiendo recorridos de ruta."}], "id": "CVE-2026-3479", "lastModified": "2026-04-07T18:16:46.740", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-03-18T19:16:06.810", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1fe"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c7"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e943"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59c"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/146121"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/146122"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "python: Python pkgutil.get_data(): Path Traversal via improper resource argument validation", "id": "2448746", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448746"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Python's `pkgutil.get_data()` function, which is used to retrieve data from packages. This function did not properly validate the `resource` argument, allowing a local attacker to perform path traversal attacks. Path traversal enables an attacker to access files and directories stored outside the intended root directory, potentially leading to information disclosure or unintended file access."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-3479", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python39-devel:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-03-18T18:13:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3479\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3479\nhttps://github.com/python/cpython/issues/146121\nhttps://github.com/python/cpython/pull/146122\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/"], "threat_severity": "Low"}