CVE-2026-41140: Poetry 2.3.4 Patches Critical Path Traversal Vulnerability in Tar Extraction

Poetry, the widely adopted Python dependency management tool, has released version 2.3.4 to address a critical path traversal vulnerability in its tar extraction functionality. Tracked as CVE-2026-41140, the security flaw allows an attacker to write files to arbitrary locations on a system during package installation, potentially enabling arbitrary code execution or system compromise. The vulnerability stems from insufficient validation of file paths within tar archives during the extraction process.

The flaw specifically affects Poetry running on Python versions 3.10.0 through 3.10.12 and 3.11.0 through 3.11.4. Users operating on these Python releases who process untrusted or malicious tar archives face the highest risk of exploitation. The update from version 2.3.3 to 2.3.4 remediates the vulnerability by implementing proper path sanitization and boundary checks before extracting archived files. Organizations using Poetry in automated build pipelines, CI/CD environments, or dependency resolution workflows are particularly exposed if they handle third-party packages or operate in multi-tenant development environments.

Security teams should prioritize updating Poetry installations to version 2.3.4 immediately, especially in production build systems and environments processing external Python packages. The Python Packaging Authority and maintainers have confirmed the patch is included in the latest release. Downstream projects that bundle Poetry or rely on specific Python version constraints should verify their dependency configurations to ensure the corrected version is propagated through their supply chain. The NVD entry for CVE-2026-41140 provides additional technical details for security auditors assessing impact within their infrastructure.