CVE-2026-6357 MEDIUM

CVE-2026-6357: pip self-update functionality can import newly installed modules after wheel installation

Vendor Pip Maintainers
Product pip
Published April 27, 2026
Last update April 27, 2026

CVSS base score

5.3/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Key dates

02Disclosure timeline

April 27, 2026 CVE published
April 27, 2026 Record updated