CPython Tarfile Vulnerability Exposes Systems

Do Son June 28, 2026 2 minutes read

At a glance

CVE: CVE-2026-55706
CVSS: 5.8 (Medium · CVSSv3)
Product: OpenBSD
Affected: < 076e2b1c1fc4ac0883a72d3544131ad5cee7adf8
Impact: sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass...
Status: No confirmed exploitation yet
Patched in: 076e2b1c1fc4ac0883a72d3544131ad5cee7adf8
EPSS: 0.2% (30-day)
Action: Update to 076e2b1c1fc4ac0883a72d3544131ad5cee7adf8 now

TL;DR

Security experts disclosed a high-severity flaw (CVE-2026-11940) in Python. A critical CPython tarfile vulnerability allows directory traversal attacks during archive extraction. Therefore, attackers can read or write files outside the intended destination directory.

Why it matters

This issue carries a CVSS score of 7.8. Applications automatically extracting untrusted archives face severe risks. Hackers could overwrite critical system files. Alternatively, they might steal sensitive application data. Currently, no public proof-of-concept exists. Furthermore, the vendor has not confirmed active exploitation in the wild. The exact number of affected installations remains unknown.

How the attack works

The bug affects the tarfile.extractall() function. Specifically, it bypasses the ‘data’ or ‘tar’ security filters. An attacker crafts a malicious archive containing a specific hardlink. This hardlink references a deeper symbolic link. The extraction fallback validates the symlink at its original depth. However, it recreates the symlink at the shallower hardlink path. Consequently, a relative target escapes the destination folder. Ultimately, this creates an out-of-destination symlink.

Affected versions

This flaw acts as an incomplete fix for an older bug. Specifically, it bypasses the previous patch for CVE-2025-4330. All Python versions using the vulnerable extraction filters are affected.

Patch or mitigation steps

Developers must update their Python environments immediately. You can read the official Python security advisory for specific patch release details. Until patched, systems should avoid extracting untrusted tar archives. Administrators must restrict file extraction permissions where possible.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.