diff --git a/.github/security/pip-audit-ignore.txt b/.github/security/pip-audit-ignore.txt
index 57dc94a..5713843 100644
--- a/.github/security/pip-audit-ignore.txt
+++ b/.github/security/pip-audit-ignore.txt
@@ -5,6 +5,8 @@
 # Format:
 #   # CVE-XXXX-NNNN — short reason; tracking issue / fix ETA.
 #   CVE-XXXX-NNNN
-#
-# Currently empty for the harness scaffold — add entries as upstream
-# advisories require.
+
+# CVE-2026-3219 — pip 26.0.1; advisory disclosed April 2026, blocks every
+# build until pip 26.0.2+ ships in the GHA tool cache. Remove once
+# `actions/setup-python` upgrades the bundled pip.
+CVE-2026-3219