Intel

AIKIDO-2026-293625

setuptools is vulnerable to Information Disclosure

Information DisclosureCVE-2026-59890 Published Yesterday

61

Medium Risk

This Affects:

PYTHONsetuptools
0.0.1 - 82.0.1
Fixed in 83.0.0
Are you affected? Scan for Free

TL;DR

When building a source distribution, setuptools' FileList applies MANIFEST.in directives such as exclude, global-exclude, recursive-exclude, and prune by matching a compiled glob against on-disk file names byte-for-byte with no Unicode normalization. On normalization-preserving filesystems like macOS APFS and HFS+, a file stored in NFD and a pattern authored in NFC refer to the same file but are byte-distinct, so the exclusion silently fails to match. A non-ASCII file the maintainer intended to exclude is then packed into the sdist and can be published to the public PyPI index despite the rule. The fix normalizes both the walked paths and the MANIFEST.in patterns to a canonical Unicode form before matching so exclusions apply consistently.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you build source distributions on a normalization-preserving filesystem such as macOS APFS/HFS+ using MANIFEST.in exclusion rules that target non-ASCII file names.

Background info

setuptools is vulnerable to Information Disclosure in versions 0.0.1 - 82.0.1.

How to fix this

Upgrade the setuptools library to the patch version.