Low Security Vulnerability CVE-2026-1703

[tglunde]

Summary

Please update pip to 26 in order to avoid this CVE

https://github.com/exasol/dbt-exasol/security/dependabot/61

Class/Type	- path traversal vulnerability
Version(s)	- pip <26
Severity	- low
CVE Number	- CVE-2026-1703

Details

Description

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Impact

CVE low

References

https://github.com/exasol/dbt-exasol/security/dependabot/61

Solutions

Update to pip >=36

Credits

[ArBridgeman]

Thanks @tglunde , @tkilias will sync with you.

pip is a transitive dependency in the PTB. As such, only the poetry.lock version specific to our project is affected. It's currently our practice that transitive dependencies are updated on the customer-side using their dependency management tool. If the affected dependency were a main/prod/dev dependency, which we were constraining in some way in the pyproject.toml, we would address this and release a new version.

In this case, when I looking at the affected project: https://github.com/exasol/dbt-exasol and I check it out, I'm able with uv lock --upgrade to update pip version 26.0. So without further information on your use case, I think this is something that you can resolve within your project without the PTB taking action. Of course, every project is set up differently, so please let us know if that doesn't work for you and, so that we improve our knowledge, a reason why.