CVE-2026-41140: Poetry Path Traversal in Python

🟠 High  |  Source: Microsoft Security Response Center

CVE-2026-41140 is a path traversal vulnerability in Poetry, a Python dependency management tool, affecting Python versions 3.10.0–3.10.12 and 3.11.0–3.11.4. The flaw occurs during tar archive extraction, potentially allowing a malicious package to write files outside the intended directory. This could lead to arbitrary file overwrite or code execution on systems that process untrusted Python packages.

Architect’s Take: Audit any Azure-hosted pipelines or build environments using Poetry with the affected Python versions and upgrade to patched releases immediately. Pay particular attention to CI/CD systems that install dependencies from external or untrusted sources, as these represent the highest-risk attack surface.

Original advisory: CVE-2026-41140 Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4