wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking

🗓️ 06 Mar 2026 16:36:31Reported by RedHatType

redhat

redhat🔗 access.redhat.com👁 1 Views

Path traversal in wheel unpacking changes file permissions, enabling privilege escalation.

Reporter	Title	Published	Views	Family All 200
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in wheel-0.45.1-py3-none-any.whl	5 May 202622:30	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in wheel affects IBM Netezza Appliance	16 Apr 202609:34	–	ibm
IBM Security Bulletins	Security Bulletin: Maximo AI Service uses multiple third party dependencies which is vulnerable to multiple CVEs.	31 Mar 202613:54	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in wheel affects IBM watsonx Orchestrate with watsonx Assistant Cartridge	23 Mar 202619:39	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in wheel affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.	4 May 202614:25	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect Data Virtualization on IBM Software Hub (April 2026 - Part 1 of 2)	1 May 202605:38	–	ibm
IBM Security Bulletins	Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities	16 Apr 202613:14	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection Component uses wheel dependency which is vulnerable to CVE-2026-24049.	30 Mar 202611:40	–	ibm
IBM Security Bulletins	Security Bulletin: File permission modification, improper access control, and other vulnerabilities might affect IBM Storage Defender - Resiliency Service	16 Feb 202615:12	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Quantum Safe Remediator is affected by multiple vulnerabilities	5 May 202615:14	–	ibm

OS	OS Version	Architecture	Package	Package Version	Filename
Red Hat Enterprise Linux	8	aarch64	automation-controller	0:4.6.26-1.el8ap	automation-controller-0:4.6.26-1.el8ap.aarch64.rpm
Red Hat Enterprise Linux	8	ppc64le	automation-controller	0:4.6.26-1.el8ap	automation-controller-0:4.6.26-1.el8ap.ppc64le.rpm
Red Hat Enterprise Linux	8	s390x	automation-controller	0:4.6.26-1.el8ap	automation-controller-0:4.6.26-1.el8ap.s390x.rpm
Red Hat Enterprise Linux	8	x86_64	automation-controller	0:4.6.26-1.el8ap	automation-controller-0:4.6.26-1.el8ap.x86_64.rpm
Red Hat Enterprise Linux	9	aarch64	automation-controller	0:4.6.26-1.el9ap	automation-controller-0:4.6.26-1.el9ap.aarch64.rpm
Red Hat Enterprise Linux	9	ppc64le	automation-controller	0:4.6.26-1.el9ap	automation-controller-0:4.6.26-1.el9ap.ppc64le.rpm
Red Hat Enterprise Linux	9	s390x	automation-controller	0:4.6.26-1.el9ap	automation-controller-0:4.6.26-1.el9ap.s390x.rpm
Red Hat Enterprise Linux	9	x86_64	automation-controller	0:4.6.26-1.el9ap	automation-controller-0:4.6.26-1.el9ap.x86_64.rpm
Red Hat Enterprise Linux	8	any	automation-controller-cli	0:4.6.26-1.el8ap.noarch	automation-controller-cli-0:4.6.26-1.el8ap.noarch.noarch.rpm
Red Hat Enterprise Linux	9	any	automation-controller-cli	0:4.6.26-1.el9ap.noarch	automation-controller-cli-0:4.6.26-1.el9ap.noarch.noarch.rpm

Source	Link
access	www.access.redhat.com/security/cve/CVE-2026-24049
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
github	www.github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef
github	www.github.com/pypa/wheel/releases/tag/0.46.2
github	www.github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-24049
cve	www.cve.org/CVERecord

03 Jun 2026 19:14Current

6.3Medium risk

Vulners AI Score6.3

CVSS 3.15.5 - 7.1

EPSS0.00015

SSVC

wheel unpacking path traversal permission changes critical files privilege escalation code execution malicious wheel unix