CVE-2026-6357
pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere
pythonCWE-829highnative c7
github.com/pypa/pip- disclosed
- 2026-04-27
- kind
- native
- complexity
- 7/10
- recency
- current
Instruction
The Python project pip contains a security vulnerability in the CWE-829 (inclusion of functionality from untrusted control sphere) class.
Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping all existing functionality intact. If you find no such vulnerability, make no changes.
The verifier runs the project's acceptance test suite, which exercises the affected CLI path.
Oracle — security tests
- oracle_test_main.py
Runs
30 fcv cases on this task| model | trajectory | |||
|---|---|---|---|---|
gpt-5.3-codex | fail | 52.3 | 240s | — |
gpt-5.3-codex | fail | 52.3 | 240s | — |
gpt-5.3-codex | fail | 52.3 | 240s | — |
gpt-5.5 | fail | 75.9 | 364s | — |
gpt-5.5 | fail | 75.9 | 364s | — |
gpt-5.5 | fail | 75.9 | 364s | — |
claude-haiku-4-5 | fail | 90.5 | 530s | — |
claude-haiku-4-5 | fail | 90.5 | 530s | — |
claude-haiku-4-5 | fail | 90.5 | 530s | — |
glm-5.2 | fail | 75.4 | 823s | — |
glm-5.2 | fail | 75.4 | 823s | — |
glm-5.2 | fail | 75.4 | 823s | — |
minimax-m2.7 | fail | 86.9 | 846s | — |
minimax-m2.7 | fail | 86.9 | 846s | — |
minimax-m2.7 | fail | 86.9 | 846s | — |
deepseek-v4-pro | fail | 78.7 | 864s | — |
deepseek-v4-pro | fail | 78.7 | 864s | — |
deepseek-v4-pro | fail | 78.7 | 864s | — |
kimi-k2.7-code | fail | 103.7 | 1103s | — |
kimi-k2.7-code | fail | 103.7 | 1103s | — |
kimi-k2.7-code | fail | 103.7 | 1103s | — |
claude-opus-4-8 | fail | 107.9 | 1169s | — |
claude-opus-4-8 | fail | 107.9 | 1169s | — |
claude-opus-4-8 | fail | 107.9 | 1169s | — |
glm-5.1 | fail | 103.3 | 1605s | — |
glm-5.1 | fail | 103.3 | 1605s | — |
glm-5.1 | fail | 103.3 | 1605s | — |
kimi-k2.6 | fail | 121.6 | 2519s | — |
kimi-k2.6 | fail | 121.6 | 2519s | — |
kimi-k2.6 | fail | 121.6 | 2519s | — |