PatchSiren cyber security CVE debrief
CVE-2026-4360 Python Software Foundation CVE debrief
A vulnerability exists in the Tarfile.extract() function where the filter parameter is not properly passed when extracting hardlinks. This could lead to files being written with unexpected uid/gid values, even when the user specifies filter='data' to the extract() function. The issue arises because the filter parameter is not correctly passed during the extraction of hardlinks, potentially resulting in security issues if untrusted tar files are extracted. Users should be cautious and ensure they are using a patched version of the Tarfile module to prevent unauthorized file writes. It is particularly important for system administrators and developers who handle tar files from untrusted sources to review and update their Python installations accordingly. Additionally, implementing careful validation and handling of tar files from untrusted sources can mitigate the risk associated with this vulnerability.
- Vendor
- Python Software Foundation
- Product
- CPython
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-30
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-06-30
- Advisory updated
- 2026-07-07
Who should care
Users of Python who extract content from untrusted tar files should be aware of this vulnerability. This is particularly relevant for system administrators and developers who handle tar files from untrusted sources.
Technical summary
The vulnerability is located in the Tarfile.extract() function. When extracting hardlinks, the filter parameter is not passed correctly. This can result in files being written with unexpected user and group IDs (uid/gid). The issue arises even when the user attempts to mitigate this by passing filter='data' to the extract() function. The vulnerability has a CVSS score of 2, indicating a low severity.
Defensive priority
This vulnerability requires attention, particularly for environments where untrusted tar files are routinely extracted. The priority is moderate due to the low CVSS score, but it should not be ignored, especially in systems handling sensitive data.
Recommended defensive actions
- Review and update Python installations to ensure they are using a version that includes the fix for this vulnerability.
- Implement careful validation and handling of tar files from untrusted sources.
- Consider using alternative extraction methods that provide better control over file permissions.
- Monitor system logs for unexpected file writes or permission changes.
- Educate users about the risks associated with extracting untrusted tar files.
Evidence notes
The CVE record was published on 2026-06-30T15:16:57.193Z and was last modified on 2026-07-07T18:16:38.800Z. The NVD entry is currently awaiting analysis. Multiple references are provided, including commits and discussions related to the fix.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-30T15:16:57.193Z and has not been modified since then.