UBUNTU-CVE-2026-6357

Source
https://ubuntu.com/security/CVE-2026-6357
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6357.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-6357
Upstream
Published
2026-04-27T15:16:00Z
Modified
2026-06-03T09:15:14.746004155Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

References

Affected packages

Ubuntu:25.10
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

25.*
25.0+dfsg-1
25.1.1+dfsg-1
25.1.1+dfsg-1ubuntu1
25.1.1+dfsg-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "25.1.1+dfsg-1ubuntu2"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "25.1.1+dfsg-1ubuntu2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6357.json"
Ubuntu:Pro:14.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.4.1-2
1.5.4-1
1.5.4-1ubuntu1
1.5.4-1ubuntu3
1.5.4-1ubuntu4
1.5.4-1ubuntu4+esm1
1.5.4-1ubuntu4+esm2
1.5.4-1ubuntu4+esm3
1.5.4-1ubuntu4+esm4
1.5.4-1ubuntu4+esm5

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip",
            "binary_version": "1.5.4-1ubuntu4+esm5"
        },
        {
            "binary_name": "python-pip-whl",
            "binary_version": "1.5.4-1ubuntu4+esm5"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "1.5.4-1ubuntu4+esm5"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6357.json"
Ubuntu:Pro:16.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.5.6-7ubuntu1
1.5.6-7ubuntu2
8.*
8.0.2-7
8.0.3-1
8.0.3-2
8.1.0-1
8.1.0-2
8.1.1-1
8.1.1-2
8.1.1-2ubuntu0.1
8.1.1-2ubuntu0.2
8.1.1-2ubuntu0.4
8.1.1-2ubuntu0.6
8.1.1-2ubuntu0.6+esm2
8.1.1-2ubuntu0.6+esm3
8.1.1-2ubuntu0.6+esm4
8.1.1-2ubuntu0.6+esm5
8.1.1-2ubuntu0.6+esm6
8.1.1-2ubuntu0.6+esm8
8.1.1-2ubuntu0.6+esm10
8.1.1-2ubuntu0.6+esm11
8.1.1-2ubuntu0.6+esm12

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip",
            "binary_version": "8.1.1-2ubuntu0.6+esm12"
        },
        {
            "binary_name": "python-pip-whl",
            "binary_version": "8.1.1-2ubuntu0.6+esm12"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "8.1.1-2ubuntu0.6+esm12"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6357.json"
Ubuntu:Pro:18.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.0.1-2
9.0.1-2.3~ubuntu1
9.0.1-2.3~ubuntu1.18.04.1
9.0.1-2.3~ubuntu1.18.04.2
9.0.1-2.3~ubuntu1.18.04.3
9.0.1-2.3~ubuntu1.18.04.4
9.0.1-2.3~ubuntu1.18.04.5
9.0.1-2.3~ubuntu1.18.04.5+esm2
9.0.1-2.3~ubuntu1.18.04.5+esm3
9.0.1-2.3~ubuntu1.18.04.6
9.0.1-2.3~ubuntu1.18.04.6+esm1
9.0.1-2.3~ubuntu1.18.04.7
9.0.1-2.3~ubuntu1.18.04.7+esm1
9.0.1-2.3~ubuntu1.18.04.8
9.0.1-2.3~ubuntu1.18.04.8+esm1
9.0.1-2.3~ubuntu1.18.04.8+esm2
9.0.1-2.3~ubuntu1.18.04.8+esm4
9.0.1-2.3~ubuntu1.18.04.8+esm6
9.0.1-2.3~ubuntu1.18.04.8+esm7
9.0.1-2.3~ubuntu1.18.04.8+esm8

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip",
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8"
        },
        {
            "binary_name": "python-pip-whl",
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6357.json"
Ubuntu:Pro:20.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

18.*
18.1-5
18.1-5build1
18.1-5ubuntu1
20.*
20.0.2-2
20.0.2-4
20.0.2-5
20.0.2-5ubuntu1
20.0.2-5ubuntu1.1
20.0.2-5ubuntu1.3
20.0.2-5ubuntu1.4
20.0.2-5ubuntu1.5
20.0.2-5ubuntu1.6
20.0.2-5ubuntu1.7
20.0.2-5ubuntu1.8
20.0.2-5ubuntu1.9
20.0.2-5ubuntu1.10
20.0.2-5ubuntu1.10+esm2
20.0.2-5ubuntu1.11
20.0.2-5ubuntu1.11+esm2
20.0.2-5ubuntu1.11+esm3
20.0.2-5ubuntu1.11+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip-whl",
            "binary_version": "20.0.2-5ubuntu1.11+esm4"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "20.0.2-5ubuntu1.11+esm4"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6357.json"
Ubuntu:Pro:22.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*
20.3.4-4
21.*
21.3.1+dfsg-3
22.*
22.0.2+dfsg-1
22.0.2+dfsg-1ubuntu0.1
22.0.2+dfsg-1ubuntu0.2
22.0.2+dfsg-1ubuntu0.3
22.0.2+dfsg-1ubuntu0.4
22.0.2+dfsg-1ubuntu0.5
22.0.2+dfsg-1ubuntu0.6
22.0.2+dfsg-1ubuntu0.7
22.0.2+dfsg-1ubuntu0.7+esm1
22.0.2+dfsg-1ubuntu0.7+esm2
22.0.2+dfsg-1ubuntu0.7+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "22.0.2+dfsg-1ubuntu0.7+esm3"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "22.0.2+dfsg-1ubuntu0.7+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6357.json"
Ubuntu:Pro:24.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

23.*
23.2+dfsg-1
23.3+dfsg-1
24.*
24.0+dfsg-1
24.0+dfsg-1ubuntu1
24.0+dfsg-1ubuntu1.1
24.0+dfsg-1ubuntu1.2
24.0+dfsg-1ubuntu1.3
24.0+dfsg-1ubuntu1.3+esm1
24.0+dfsg-1ubuntu1.3+esm2
24.0+dfsg-1ubuntu1.3+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "24.0+dfsg-1ubuntu1.3+esm3"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "24.0+dfsg-1ubuntu1.3+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6357.json"
Ubuntu:Pro:26.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fresolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

25.*
25.1.1+dfsg-1ubuntu2
25.1.1+dfsg-1ubuntu2+esm1
25.1.1+dfsg-1ubuntu2+esm2
25.1.1+dfsg-1ubuntu2+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "25.1.1+dfsg-1ubuntu2+esm3"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "25.1.1+dfsg-1ubuntu2+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6357.json"