wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24049.json
https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx
https://github.com/pypa/wheel/releases/tag/0.46.2
https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef
https://bugzilla.redhat.com/show_bug.cgi?id=2431959
https://access.redhat.com/security/cve/CVE-2026-24049
https://access.redhat.com/errata/RHSA-2026:7250
https://access.redhat.com/errata/RHSA-2026:6565
https://access.redhat.com/errata/RHSA-2026:6562
https://access.redhat.com/errata/RHSA-2026:6555
https://access.redhat.com/errata/RHSA-2026:6192
https://access.redhat.com/errata/RHSA-2026:5119
https://access.redhat.com/errata/RHSA-2026:4942
https://access.redhat.com/errata/RHSA-2026:4271
https://access.redhat.com/errata/RHSA-2026:4215
https://access.redhat.com/errata/RHSA-2026:4185
https://access.redhat.com/errata/RHSA-2026:3960
https://access.redhat.com/errata/RHSA-2026:3959
https://access.redhat.com/errata/RHSA-2026:3958
https://access.redhat.com/errata/RHSA-2026:3782
https://access.redhat.com/errata/RHSA-2026:3713
https://access.redhat.com/errata/RHSA-2026:3462
https://access.redhat.com/errata/RHSA-2026:3461
https://access.redhat.com/errata/RHSA-2026:2925
https://access.redhat.com/errata/RHSA-2026:2900
https://access.redhat.com/errata/RHSA-2026:2866
https://access.redhat.com/errata/RHSA-2026:2865
https://access.redhat.com/errata/RHSA-2026:2823
https://access.redhat.com/errata/RHSA-2026:2762
https://access.redhat.com/errata/RHSA-2026:2754
https://access.redhat.com/errata/RHSA-2026:2710
https://access.redhat.com/errata/RHSA-2026:2695
https://access.redhat.com/errata/RHSA-2026:2694
https://access.redhat.com/errata/RHSA-2026:2681
https://access.redhat.com/errata/RHSA-2026:2675
https://access.redhat.com/errata/RHSA-2026:2139
https://access.redhat.com/errata/RHSA-2026:2106
https://access.redhat.com/errata/RHSA-2026:2090
https://access.redhat.com/errata/RHSA-2026:20089
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:1942
https://access.redhat.com/errata/RHSA-2026:1939
https://access.redhat.com/errata/RHSA-2026:1902
https://access.redhat.com/errata/RHSA-2026:17599
https://access.redhat.com/errata/RHSA-2026:1504
https://access.redhat.com/errata/RHSA-2026:14020