VDB
KO

PYSEC-2026-633

FTP backend for Duplicity Discloses Passwords to Process Listing

Details

The FTP backend for Duplicity before 0.4.9 sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / duplicity
Introduced in: 0 Fixed in: 0.4.9
Fix pip install --upgrade 'duplicity>=0.4.9'

References