CVE-2026-1703 (LOW): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-1703	LOW	pip	25.3	26.0	2026-02-02T15:16:30.51Z	2026-02-03T10:19:07.035287524Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:9452cd99484f2ac5ac8242449f28bc3c0adc34f6422b47e3cc12a146cdf87813
public.ecr.aws/lambda/python:3.14	public.ecr.aws/lambda/python@sha256:c443e20f7cc81154d46bf4b5cba3d3942745b72d4d9a4b1f9936e2e84f3ff329
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:9452cd99484f2ac5ac8242449f28bc3c0adc34f6422b47e3cc12a146cdf87813
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:cdfe66594d4a1447912bb1c789029b6993de4160614ca443cf6bbbc2ba7d8ea1
public.ecr.aws/lambda/python:3.11	public.ecr.aws/lambda/python@sha256:413119971089b50f39e9ffa81e6c29c3a892f651168f0ef8f6e38a62a4f03371
public.ecr.aws/lambda/python:3.10	public.ecr.aws/lambda/python@sha256:6fbad9b89aa6b47a769e05ab088d1ebb39c4d18463b32b4107a8f0c0096398d6

---

Description

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

---

Remediation Steps

• Update the affected package pip from version 25.3 to 26.0.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.