CVE-2026-3219 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-3219	MEDIUM	pip	26.0.1	26.1	2026-04-20T16:16:45.43Z	2026-05-21T10:18:26.538630705Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:c1c48889a63cda891a315702c08bb197d0dad4581a0f5c2e66c4f264b0662dc1
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:c1c48889a63cda891a315702c08bb197d0dad4581a0f5c2e66c4f264b0662dc1
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:c1f9a2c7fc928b5856b8643bb683bd5dbe4abd2163b55eeb9a465319ba12a8b3
public.ecr.aws/lambda/python:3.11	public.ecr.aws/lambda/python@sha256:843e3c382c0ea9d84dc913dc5e634a9cc4861ebe1ccb22a3d08df2f9bf2061a8
public.ecr.aws/lambda/python:3.10	public.ecr.aws/lambda/python@sha256:a4a895c23fa371f268df952812c5f00695b4ee0f6a9611357a37083499452ec5

---

Description

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

---

Remediation Steps

• Update the affected package pip from version 26.0.1 to 26.1.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.