CVE-2026-7774 is a path traversal vulnerability in Python’s tarfile module that allows an attacker to bypass the data_filter safety control, which is designed to prevent files from being extracted outside their intended directory. By crafting a malicious tar archive, an attacker could write files to arbitrary locations on the host filesystem. This is particularly concerning in cloud and containerised environments where tar extraction is commonly used in build pipelines, deployment scripts, and data ingestion workflows.

Security Architect’s Take: Audit any Azure-hosted workloads, CI/CD pipelines, or serverless functions that extract tar archives using Python — particularly those accepting user-supplied or third-party archives. Ensure Python runtimes are patched promptly and consider adding post-extraction validation checks to confirm no files landed outside the intended target directory.

Original advisory: CVE-2026-7774 tarfile.data_filter path traversal bypass allows writing outside the extraction directory