High Severity Vulnerability: lxml in agent 7.78.2 or less have vulnerability CVE: CVE-2026-41066

[ghimire]

Agent version

7.78.2

Bug Report

CVE-2026-41066: lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

The python library lxml version 6.0.1 in /opt/datadog-agent/embedded/lib/python3.13/site-packages/lxml-6.0.1.dist-info/METADATA is vulnerable to CVE-2026-41066, which exists in versions < 6.1.0.

This can be fixed by updating the lxml package to version 6.1.0 or higher.

Related resources:

• Github Security Advisory

A public exploit for this vulnerability in lxml is available as well.

Reproduction Steps

No response

Agent configuration

No response

Operating System

No response

Other environment details

No response

[TKostrzewski]

Hey @ghimire! I'm not a contributor or anything, but am also interested in a patch for this vulnerability.

I was looking at #50060, and I believe that PR contained the fix we need. In #50060 (comment), I can see that the */lxml-6.1.0.dist-info/* package file was added, and in the same comment, the */lxml-6.0.1.dist-info/* package file was removed - the exact fix we needed.

I suspect we just have to wait for a release, and then we can benefit from it 🙌🏻 .

[jacjtito]

Hi @ghimire,
Thanks for your contribution!

This issue is planned to be fixed with 7.79 version planned to come out next week (May 18 - May 22), by bumping to lxml 6.1.0.
I'll ping here once 7.79 is released.