Fluid Attacks Database

Description

pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel9	python-312-minimal	-	-
debian 11	python-pip	=20.3.4-4 \|\| =20.3.4-4+deb11u1 \|\| =20.3.4-4+deb11u2 \|\| =21.3.1+dfsg-1 \|\| =21.3.1+dfsg-2 \|\| =21.3.1+dfsg-3 \|\| =22.0.2+dfsg-1 \|\| =22.1+dfsg-1 \|\| =22.1.1+dfsg-1 \|\| =22.2+dfsg-1 \|\| =22.3+dfsg-1 \|\| =22.3.1+dfsg-1 \|\| =22.3.1+dfsg-2 \|\| =23.0+dfsg-1 \|\| =23.0+dfsg-2 \|\| =23.0.1+dfsg-1 \|\| =23.1.2+dfsg-1 \|\| =23.1.2+dfsg-2 \|\| =23.2+dfsg-1 \|\| =23.2.1+dfsg-1 \|\| =23.3+dfsg-1 \|\| =24.0+dfsg-1 \|\| =24.0+dfsg-2 \|\| =24.1+dfsg-1 \|\| =24.1.1+dfsg-1 \|\| =24.2+dfsg-1 \|\| =24.3.1+dfsg-1 \|\| =25.0+dfsg-1 \|\| =25.0.1+dfsg-1 \|\| =25.1+dfsg-1 \|\| =25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1 \|\| =26.1.1+dfsg-1	-
debian 12	python-pip	=23.0.1+dfsg-1 \|\| =23.1.2+dfsg-1 \|\| =23.1.2+dfsg-2 \|\| =23.2+dfsg-1 \|\| =23.2.1+dfsg-1 \|\| =23.3+dfsg-1 \|\| =24.0+dfsg-1 \|\| =24.0+dfsg-2 \|\| =24.1+dfsg-1 \|\| =24.1.1+dfsg-1 \|\| =24.2+dfsg-1 \|\| =24.3.1+dfsg-1 \|\| =25.0+dfsg-1 \|\| =25.0.1+dfsg-1 \|\| =25.1+dfsg-1 \|\| =25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1 \|\| =26.1.1+dfsg-1	-
debian 13	python-pip	=25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1 \|\| =26.1.1+dfsg-1	-
debian 14	python-pip	=25.1.1+dfsg-1 \|\| =25.2+dfsg-1 \|\| =25.3+dfsg-1 \|\| =26.0+dfsg-1 \|\| =26.0.1+dfsg-1 \|\| >=0 <26.1.1+dfsg-1	26.1.1+dfsg-1
rpm rhel9	python-311	-	-
rpm rhel10	python-312-minimal	-	-
rpm rhel8	python-36	-	-
rpm rhel8	python-312	-	-
rpm rhel9	python-39	-	-

1-10 of 14

Aliases

1. CVE-2026-63572. NVD-2026-63573. OSV-2026-63574. OSV-DEBIAN-2026-63575. GCVE-2026-63576. SECURITY-TRACKER-CVE-2026-6357

References

1. https://github.com/pypa/pip/pull/139232. https://github.com/pypa/pip/commit/b369bfc96cc524e00c267e1693290e6599c36bad3. https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/#security-fixes4. http://www.openwall.com/lists/oss-security/2026/04/27/7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.