CVE-2026-6357

Published: Apr 27, 2026

Modified: Apr 27, 2026

PUBLISHED

Description

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Vendor	Product	Versions
Pip maintainers	pip	affected `0 - < 26.1`

References

https://github.com/pypa/pip/pull/13923

patch

https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/#security-fixes

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-6357

Description

Affected Products

References