A supply-chain security flaw in the popular Python packaging tool Poetry has been flagged by Microsoft, carrying the identifier CVE-2026-41140. The vulnerability allows path traversal during the extraction of source distribution tar archives, potentially enabling attackers to overwrite arbitrary files on a developer’s system—a risk amplified on Windows machines.

Poetry is a dependency manager for Python that has gained significant traction among Windows developers. It simplifies package management, virtual environments, and publishing, often replacing tools like pip and setuptools. However, a weakness in how Poetry handles tar archives when installing from source distributions now puts Windows workstations at direct risk. The flaw is not merely theoretical; when combined with a malicious package, it can lead to file overwrites, remote code execution, or persistent system compromise.

Inside CVE-2026-41140: The Path Traversal Mechanism

At its core, CVE-2026-41140 is a directory traversal vulnerability. When Poetry installs a package from a source distribution, it unpacks a .tar.gz file. If the tar archive contains filenames with path traversal sequences like ..\ (on Windows) or ../ (on Unix-like systems), a vulnerable extraction routine may write files outside the intended target directory. An attacker can craft a malicious source package that, when installed via Poetry, drops a payload into an arbitrary location—such as the user’s Startup folder, C:\Windows\System32, or a profile script like ~\.bashrc.

The issue lies in Poetry’s reliance on Python’s built-in tarfile module to extract archives. Prior to certain patches, tarfile.TarFile.extractall() did not sanitize member paths, allowing the classic zip-slip style attack. This flaw was originally reported in Python itself years ago, but it persisted in many applications that consumed the vulnerable function. Poetry, until version 2.3.4, did not implement additional safeguards against such path manipulations.

The Python Connection: Why Specific Python Versions Are Vulnerable

Microsoft’s advisory explicitly ties CVE-2026-41140 to specific Python interpreter versions: 3.10.0 through 3.10.12 and 3.11.0 (likely including early 3.11.x releases before a critical security fix). This is no coincidence. Python’s core developers addressed a long-standing directory traversal vulnerability in the tarfile module with the releases of Python 3.10.13 and 3.11.5. Those patches added checks that throw a FilterError if an archive member would be extracted outside the destination directory.

If a developer runs Poetry on an unpatched Python 3.10 or 3.11 runtime, the underlying tarfile module lacks these protections. Poetry itself did not enforce any path validation before version 2.3.4, so the combination of an outdated Python interpreter and an older Poetry version creates the perfect storm. Importantly, Python 3.12 and later are not listed as affected—they likely include the fixed tarfile module from the start, though Poetry’s own fix is still recommended.

Windows-Specific Risks: Drive Letters and Path Manipulation

Windows developers face unique dangers from path traversal vulnerabilities. The operating system’s use of drive letters (C:\, D:\) and alternative path separators (\ vs /) often complicate path sanitization. An attacker can embed absolute paths like C:\Users\Public\evil.exe directly into a tar archive member name. Even without elevation, overwriting files in the user’s profile can lead to code execution on next login, making this a potent local privilege escalation vector.

Moreover, many Windows development tools and scripts auto-run from well-known directories. A malicious tar file could drop a .cmd or .ps1 file into the user’s %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup folder, ensuring the payload executes every time the developer logs in. In corporate environments where developers have local admin rights, the impact could extend to overwriting shared libraries or injecting malware into build pipelines.

How Attackers Could Exploit This in a Supply Chain Attack

Supply chain attacks are devastating because they abuse trust in widely used tools. An adversary could publish a seemingly benign Python package to PyPI (the Python Package Index) that, when installed from source, triggers the traversal. Even typosquatting—registering a package name similar to a popular library—could lure unsuspecting Windows users.

Once the malicious tar archive is processed by a vulnerable Poetry installation, the embedded payload escapes the virtual environment or project folder and writes itself to a critical location. This could be a backdoor, a credential stealer, or a ransomware loader. Because Poetry is often used in CI/CD pipelines, a successful attack could compromise entire software releases, putting end users at risk downstream. Microsoft’s involvement likely stems from the broad implications for Windows-based development shops, Azure DevOps, and even Visual Studio integrations.

The Fix: Upgrade to Poetry 2.3.4 and Patch Python

Poetry 2.3.4 introduces its own path sanitization logic, preventing the extraction of tar member paths that attempt to break out of the target directory. Windows users must upgrade Poetry immediately:

# Upgrade via pip (ensure you use a patched Python first)
pip install --upgrade poetry

Or download the latest installer from python-poetry.org. After upgrading, verify the version:

poetry --version

Should show 2.3.4 or higher

Equally crucial is updating the Python interpreter itself. Windows users running Python 3.10.x should upgrade to at least 3.10.13; those on 3.11.x should move to 3.11.5 or later. The latest 3.10 and 3.11 releases include the necessary tarfile security fixes. Python 3.12 and above are already protected. Always download Python from the official website to avoid tampered installers.

Checking Your System and Mitigations for Windows Users

To check if your current setup is vulnerable, run these commands in a terminal:

python --version
poetry --version

If Python is older than 3.10.13 (for the 3.10 series) or older than 3.11.5 (for the 3.11 series), and Poetry is older than 2.3.4, you are at risk. In environments where immediate patching is impossible, implement these temporary mitigations:

  • Restrict network access for Poetry during installation to trusted indexes only.
  • Avoid installing source distributions from untrusted origins; prefer wheels (.whl files) when available.
  • Run Poetry installations with limited privileges—never under an admin account unless absolutely necessary.
  • Use filesystem monitoring tools like Sysinternals Process Monitor to detect unexpected writes during package installations.

For enterprise administrators, enforce policies that block execution of Poetry versions below 2.3.4 and block Python downloads of vulnerable interpreter builds. Microsoft Endpoint Configuration Manager or Group Policy can be used to whitelist only approved versions across developer workstations.

The Bigger Picture: Tar Extraction Flaws and Software Supply Chains

CVE-2026-41140 is the latest in a long lineage of directory traversal bugs tied to archive extraction. The original Python tarfile flaw dates back to CVE-2007-4559, affecting Python 2.x. Despite countless warnings, many tools inherited the vulnerable behavior. The software supply chain remains a soft underbelly: attackers increasingly target package managers, build tools, and CI services because a single compromise can ripple across thousands of downstream users.

Microsoft’s advisory underscores the company’s growing focus on open-source security. With the rise of Python in Windows-based DevOps—powering everything from Azure Functions to machine learning pipelines—vulnerabilities in Python tooling now carry the same weight as traditional Windows CVEs. Developers who treat dependencies as black boxes do so at their peril.

Conclusion

CVE-2026-41140 isn’t a remote code execution flaw that requires zero-click exploitation, but it is a dangerous weapon in the hands of a determined supply chain attacker. Windows developers, especially those in enterprise environments, must act now. Upgrade Poetry to 2.3.4, update Python to a fixed release, and audit your CI pipelines for any signs of unauthorized file writes. In the interconnected world of modern development, the next poetry add could be the vector that compromises your entire system.