Vendored wheel 0.45.1 has CVE-2026-24049 - please update to 0.46.2

[jpdevex]

Summary

setuptools vendors wheel 0.45.1 which is affected by CVE-2026-24049 (Arbitrary File Permission Modification via Path Traversal).

Details

• Current vendored version: wheel 0.45.1
• Fixed version: wheel 0.46.2
• CVE: https://avd.aquasec.com/nvd/cve-2026-24049

Impact

Security scanners (like Trivy) flag this vulnerability in Docker images that use setuptools, even when wheel 0.46.2 is installed separately, because the vendored version remains in setuptools/_vendor/wheel-0.45.1.dist-info.

Request

Please update the vendored wheel to 0.46.2 or later in the next setuptools release.

Thank you!

[abravalheri]

Please note that setuptools itself is not affected by this vulnerability.

It does not reach the affected code path in wheel -- as it never calls the functionality of wheel unpack.

We probably will update the dependency shortly, but please bear with us as it may take a bit.

[jpdevex]

Thanks for the clarification! We understand setuptools doesn't reach the vulnerable code path.

However, the vulnerable code is still present at setuptools/_vendor/wheel/ and could technically be imported by other code. like:
from setuptools._vendor.wheel import ...

in my case security scanners flag it, blocking some CI/CD pipelines.

No rush, just wanted to explain why this matters even if setuptools itself doesn't use it. Thanks!

[abravalheri]

Thanks @jpdevex, I am working on it but hitting some CI/tooling walls that I am fixing on the way so... bit by bit we will arrive there.