Skip to main content

Wrangler CVE-2026-0933

CRITICAL
Improper Input Validation (CWE-20)
2026-01-20 cna@cloudflare.com GHSA-36p8-mvp6-cv38
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 20, 2026 - 23:16 nvd
CRITICAL 9.9

DescriptionCVE.org

SummaryA command injection vulnerability (CWE-78) has been found to exist in the wrangler pages deploy command. The issue occurs because the --commit-hash parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of --commit-hash to execute arbitrary commands on the system running Wrangler.

Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g.,  execSync(git show -s --format=%B ${commitHash})). Shell metacharacters are interpreted by the shell, enabling command execution.

ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where wrangler pages deploy is used in automated pipelines and the

--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:

  • Run any shell command.
  • Exfiltrate environment variables.
  • Compromise the CI runner to install backdoors or modify build artifacts.

Credits Disclosed responsibly by kny4hacker.

Mitigation

  • Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
  • Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
  • Users on Wrangler v2 (EOL) should upgrade to a supported major version.

AnalysisAI

Cloudflare Wrangler CLI has a CVSS 9.9 command injection vulnerability in the 'wrangler pages deploy' command that allows arbitrary code execution during deployment.

Technical ContextAI

The wrangler pages deploy command in Cloudflare's Wrangler CLI has a CWE-20 input validation flaw that allows command injection (CWE-78) through specially crafted deployment parameters or file names.

RemediationAI

Update Wrangler CLI. Sanitize file names in deployment pipelines. Use minimal CI/CD permissions.

Share

CVE-2026-0933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy