Pypi · Filelock · CVE-2026-22701
**Name of the Vulnerable Software and Affected Versions**
filelock versions prior to 3.20.3
**Description**
A race condition exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a timing issue between permission validation and file creation. This race condition occurs in the ` acquire()` method between `raise on not writable file()` and `os.open()`. An attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.
**Recommendations**
Upgrade to filelock version 3.20.3 or later.