Login Sign Up

CVE-2022-26184

9.8 CRITICAL

📋 TL;DR

CVE-2022-26184 is an untrusted search path vulnerability in Poetry package manager versions 1.1.9 and below on Windows. This allows attackers to execute arbitrary code by placing malicious files in directories where Poetry commands are run. Developers using Poetry on Windows systems are primarily affected.

💻 Affected Systems

Products:
  • Poetry
Versions: 1.1.9 and below
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems; Linux and macOS are not vulnerable. Requires user to execute Poetry commands in a directory containing malicious content.

📦 What is this software?

Poetry by Python Poetry

View all CVEs affecting Poetry →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution with the privileges of the user running Poetry commands.

🟠

Likely Case

Local privilege escalation or execution of malicious scripts when developers run Poetry in untrusted directories.

🟢

If Mitigated

No impact if users only run Poetry in trusted directories or have updated to patched versions.

🌐 Internet-Facing: LOW - This is primarily a local exploitation vulnerability requiring user interaction.
🏢 Internal Only: HIGH - Developers frequently run package managers in various directories, making internal exploitation likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to run Poetry commands in a malicious directory. Public proof-of-concept exists in the GitHub commit references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.10 and above

Vendor Advisory: https://github.com/python-poetry/poetry/releases/tag/1.1.9

Restart Required: No

Instructions:

1. Update Poetry using: poetry self update 2. Verify installation with: poetry --version 3. Ensure version is 1.1.10 or higher

🔧 Temporary Workarounds

Avoid untrusted directories

windows

Only run Poetry commands in trusted directories that you control.

Use Linux/macOS for Poetry operations

all

Run Poetry commands on non-Windows systems where this vulnerability does not exist.

🧯 If You Can't Patch

  • Implement strict directory access controls for developers
  • Monitor for suspicious Poetry command execution in unusual directories

🔍 How to Verify

Check if Vulnerable:

Check Poetry version with: poetry --version. If version is 1.1.9 or below and running on Windows, system is vulnerable.

Check Version:

poetry --version

Verify Fix Applied:

Run: poetry --version and confirm version is 1.1.10 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Poetry command execution in unusual directories
  • Multiple failed Poetry operations from same user

Network Indicators:

  • Unusual outbound connections following Poetry command execution

SIEM Query:

Process execution where command contains 'poetry' and parent directory is suspicious or untrusted

📊 Metadata

CVE ID: CVE-2022-26184
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-426
Published: March 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26184, you might also want to check these:

CVE-2023-30330 9.8

SoftExpert Excellence Suite 2.x versions before 2.1.3 contain a Local File Inclusion vulnerability i...

Same vulnerability type (CWE-426)
CVE-2025-26155 9.8

This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers t...

Same vulnerability type (CWE-426)
CVE-2024-38462 9.8

This vulnerability in iRODS before version 4.3.2 involves the msiSendMail function's insecure depend...

Same vulnerability type (CWE-426)