CVE-2026-22702

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc	Patch
https://github.com/pypa/virtualenv/pull/3013	Issue Tracking Patch
https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986	Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:virtualenv:virtualenv:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-10 07:16

Updated : 2026-02-18 17:43

NVD link : CVE-2026-22702

Mitre link : CVE-2026-22702

CVE.ORG link : CVE-2026-22702

JSON object : View

Products Affected

virtualenv

virtualenv

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2026-22702", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.0}]}, "published": "2026-01-10T07:16:02.857", "references": [{"url": "https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pypa/virtualenv/pull/3013", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1."}, {"lang": "es", "value": "virtualenv es una herramienta para crear entornos virtuales de Python aislados. Antes de la versi\u00f3n 20.36.1, las vulnerabilidades TOCTOU (Time-of-Check-Time-of-Use) en virtualenv permiten a atacantes locales realizar ataques basados en enlaces simb\u00f3licos en operaciones de creaci\u00f3n de directorios. Un atacante con acceso local puede explotar una condici\u00f3n de carrera entre las comprobaciones de existencia de directorios y su creaci\u00f3n para redirigir las operaciones de los archivos app_data y de bloqueo de virtualenv a ubicaciones controladas por el atacante. Este problema ha sido parcheado en la versi\u00f3n 20.36.1."}], "lastModified": "2026-02-18T17:43:08.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:virtualenv:virtualenv:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1339346E-BA67-4C3F-8792-7F1829C91FA2", "versionEndExcluding": "20.36.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}