DEBIAN-CVE-2026-6357

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-6357

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6357.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-6357

Upstream

CVE-2026-6357

Published

2026-04-27T15:16:20.857Z

Modified

2026-04-28T20:33:04.231752Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

References

https://security-tracker.debian.org/tracker/CVE-2026-6357

Affected packages

Debian:11 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.3.4-4

20.3.4-4+deb11u1

20.3.4-4+deb11u2

21.*

21.3.1+dfsg-1

21.3.1+dfsg-2

21.3.1+dfsg-3

22.*

22.0.2+dfsg-1

22.1+dfsg-1

22.1.1+dfsg-1

22.2+dfsg-1

22.3+dfsg-1

22.3.1+dfsg-1

22.3.1+dfsg-2

23.*

23.0+dfsg-1

23.0+dfsg-2

23.0.1+dfsg-1

23.1.2+dfsg-1

23.1.2+dfsg-2

23.2+dfsg-1

23.2.1+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-2

24.1+dfsg-1

24.1.1+dfsg-1

24.2+dfsg-1

24.3.1+dfsg-1

25.*

25.0+dfsg-1

25.0.1+dfsg-1

25.1+dfsg-1

25.1.1+dfsg-1

25.2+dfsg-1

25.3+dfsg-1

26.*

26.0+dfsg-1

26.0.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6357.json"

Debian:12 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.0.1+dfsg-1

23.1.2+dfsg-1

23.1.2+dfsg-2

23.2+dfsg-1

23.2.1+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-2

24.1+dfsg-1

24.1.1+dfsg-1

24.2+dfsg-1

24.3.1+dfsg-1

25.*

25.0+dfsg-1

25.0.1+dfsg-1

25.1+dfsg-1

25.1.1+dfsg-1

25.2+dfsg-1

25.3+dfsg-1

26.*

26.0+dfsg-1

26.0.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6357.json"

Debian:13 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.1.1+dfsg-1

25.2+dfsg-1

25.3+dfsg-1

26.*

26.0+dfsg-1

26.0.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6357.json"

Debian:14 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.1.1+dfsg-1

25.2+dfsg-1

25.3+dfsg-1

26.*

26.0+dfsg-1

26.0.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-6357.json"