CVE-2026-6357 — pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

Description

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

How to fix CVE-2026-6357

To remediate CVE-2026-6357, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 26.1 or later

Is CVE-2026-6357 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 26.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-6357
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-6357
PATCHgithub.com/pypa/pip
WEBgithub.com/pypa/pip/commit/b369bfc96cc524e00c267e1693290e6599c36bad
WEB