CVE-2026-22702
January 10, 2026
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
Affected Packages
virtualenv (CONDA):
Affected version(s) >=1.11.6 <20.36.1Fix Suggestion:
Update to version 20.36.1https://github.com/pypa/virtualenv.git (GITHUB):
Affected version(s) >=1.2 <20.36.1Fix Suggestion:
Update to version 20.36.1virtualenv (PYTHON):
Affected version(s) >=0.8 <20.36.1Fix Suggestion:
Update to version 20.36.1virtualenv (PYTHON):
Affected version(s) >=0.8 <20.36.1Fix Suggestion:
Update to version 20.36.1Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
2
Attack Vector
LOCAL
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.5
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
EPSS
Base Score:
0.02
