Skip to main content

Lumiverse CVE-2026-44449

| EUVDEUVD-2026-31980 CRITICAL
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-26 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 26, 2026 - 22:02 EUVD
Analysis Generated
May 26, 2026 - 21:00 vuln.today

DescriptionGitHub Advisory

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains "; !<cmd>; echo " achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7.

AnalysisAI

Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers to execute arbitrary OS commands on the host. When the primary toSmbPath(fullPath) routine throws, a fallback path concatenates the unvalidated basename into an smbclient -c script, where ';' acts as a subcommand separator and '!cmd' triggers a local shell escape. No public exploit identified at time of analysis, and the issue is not currently in CISA KEV.

Technical ContextAI

Lumiverse (CPE cpe:2.3:a:prolix-oc:lumiverse) is a full-featured AI chat application that integrates with SMB shares via the smbclient utility. The root cause aligns with CWE-88 (Argument Injection): the code passes user-influenced path components directly into the -c script argument to smbclient. smbclient's interactive command grammar treats ';' as a command separator and '!<cmd>' as a 'local shell' escape that spawns /bin/sh on the host, so any unsanitised characters reaching that string become host-level commands. The vulnerable path is specifically the fallback after toSmbPath() fails: only the directory prefix is validated, while the basename is trusted and concatenated verbatim.

RemediationAI

Vendor-released patch: upgrade Lumiverse to 0.9.7 or later, where the basename is properly validated before being placed into the smbclient -c script (see https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-4v38-9hqq-7j53). Until the upgrade is applied, restrict who holds the privileged role required to submit SMB paths and, where possible, disable or gate the SMB integration feature entirely - accepting loss of SMB browsing functionality in exchange for blocking the injection sink. As a network-side compensating control, isolate the Lumiverse host so its outbound shell cannot reach internal resources, and consider running the process under a low-privilege service account to reduce blast radius of any successful '!cmd' escape.

Share

CVE-2026-44449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy