CVE-2026-34591

Name of the Vulnerable Software and Affected Versions Poetry versions 1.4.0 through 2.3.2

Description Poetry, a Python dependency manager, contains a path traversal flaw. A crafted wheel file can include '..' paths that Poetry writes to disk without proper containment checks. This allows for arbitrary file write with the privileges of the Poetry process, potentially impacting users, CI/CD systems, and installations of malicious or compromised packages. The issue is reachable during normal installation flows from untrusted package artifacts. The vulnerability occurs because Poetry directly joins an untrusted wheel entry path without enforcing a resolve() or is relative to() style guard before writing.

Recommendations Update to Poetry version 2.3.3 or later.