EMMC-ASBL · TEAM4-0 · Mar 10, 2026 · Feb 23, 2026 · Mar 10, 2026 · Mar 10, 2026
diff --git a/.github/utils/requirements_audit.txt b/.github/utils/requirements_audit.txt
@@ -1 +1 @@
-pip-tools==7.5.1
+pip-tools==7.5.3
diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml
@@ -75,16 +75,19 @@ jobs:
         pip install -U setuptools wheel
         pip install -U -r .github/utils/requirements_audit.txt
 
-        # TEMPORARY: Install pip<25.3 to avoid issues with pip-compile and pip 25.3+
-        pip install "pip<25.3"
-
     - name: Create requirements.txt for pip-audit
       run: pip-compile --output-file="${{ runner.temp }}/requirements.txt" --all-extras --verbose --color "${{ github.workspace }}/pyproject.toml"
 
     - name: Run pip-audit
       uses: pypa/gh-action-pip-audit@v1.1.0
       with:
         inputs: '${{ runner.temp }}/requirements.txt'
+        # CVE-2025-69872: DiskCache 5.6.3
+        #   DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default.
+        #   An attacker with write access to the cache directory can achieve arbitrary code execution
+        #   when a victim application reads from the cache.
+        ignore-vulns: |
+          CVE-2025-69872
 
   pytest-linux:
     name: pytest (linux-py${{ matrix.python-version }})

diff --git a/README.md b/README.md
@@ -12,6 +12,11 @@
 
 We highly recommend reading this page in [the official documentation](https://emmc-asbl.github.io/oteapi-core).
 
+!!! warning "Security Notice"
+    When using the `DataCache`, which is based on the [`diskcache`](https://grantjenks.com/docs/diskcache/) library, it is important to note that the cache uses pickle for serialization.
+    If not properly secured, an attacker with write access to the cache directoy can achieve arbitrary code execution.
+    This issue is described in further detail in the [CVE-2025-69872](https://www.cve.org/CVERecord?id=CVE-2025-69872) vulnerability.
+
 ## About OTEAPI Core
 
 OTEAPI Core provides the core functionality of OTEAPI, which stands for the *Open Translation Environment API*.

diff --git a/docs/index.md b/docs/index.md
@@ -12,6 +12,11 @@
 
 We highly recommend reading this page in [the official documentation](https://emmc-asbl.github.io/oteapi-core).
 
+!!! warning "Security Notice"
+    When using the `DataCache`, which is based on the [`diskcache`](https://grantjenks.com/diskcache/) library, it is important to note that the cache uses pickle for serialization.
+    If not properly secured, an attacker with write access to the cache directoy can achieve arbitrary code execution.
+    This issue is described in further detail in the [CVE-2025-69872](https://www.cve.org/CVERecord?id=CVE-2025-69872) vulnerability.
+
 ## About OTEAPI Core
 
 OTEAPI Core provides the core functionality of OTEAPI, which stands for the *Open Translation Environment API*.

diff --git a/pyproject.toml b/pyproject.toml
@@ -31,7 +31,7 @@ dependencies = [
     # Strategy dependencies
     "celery>=5.6.0,<6",
     "openpyxl>=3.1.5,<4",
-    "paramiko<4",
+    "paramiko<4",  # version 4+ has some breaking changes and is not yet supported by pysftp
     "Pillow>=10.4.0,<13",
     "psycopg[binary]>=3.2.6,<4",
     "pysftp~=0.2.9",