Skip to main content

python-utcp CVE-2026-45369

| EUVDEUVD-2026-30475 HIGH
OS Command Injection (CWE-78)
2026-05-14 security-advisories@github.com GHSA-33p6-5jxp-p3x4
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
May 14, 2026 - 22:05 vuln.today
Analysis Generated
May 14, 2026 - 22:05 vuln.today
Patch available
May 14, 2026 - 22:02 EUVD
CVE Published
May 14, 2026 - 21:16 nvd
HIGH 8.3

DescriptionGitHub Advisory

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Unix) or powershell.exe -Command (Windows), allowing an attacker to inject arbitrary shell commands. This vulnerability is fixed in 1.1.3.

AnalysisAI

Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.

Technical ContextAI

Python-utcp is a Python implementation of the Universal Tool Calling Protocol, providing a CLI communication interface for executing external tools with parameterized arguments. The vulnerability resides in the cli_communication_protocol.py module's _substitute_utcp_args method, which performs string interpolation of UTCP_ARG_..._UTCP_END placeholders within shell command templates. The affected code path invokes /bin/bash -c on Unix systems and powershell.exe -Command on Windows to execute dynamically constructed scripts containing user-supplied values. This represents a classic CWE-78 OS Command Injection flaw where metacharacters (semicolons, pipes, backticks, command substitution operators) in tool_args parameters are interpreted as shell syntax rather than literal data. The CPE pip/utcp-cli indicates this is a PyPI-distributed package affecting versions through 1.1.1. The fix in 1.1.2 applies language-appropriate quoting primitives (Python's shlex.quote for POSIX shells, custom PowerShell single-quote escaping for Windows) to ensure each placeholder expands to exactly one shell token, preventing metacharacter interpretation.

RemediationAI

Upgrade to utcp-cli version 1.1.2 or later immediately, available via PyPI (pip install --upgrade utcp-cli). The patched version applies shell-quoting to all UTCP_ARG placeholder substitutions using shlex.quote on Unix and PowerShell-safe single-quote literals on Windows, ensuring each placeholder expands to exactly one shell token. Critical behavioral change: tool definitions that previously relied on a single placeholder expanding to multiple shell tokens (e.g., UTCP_ARG_flags_UTCP_END expanding to --verbose --debug) must be refactored to use one placeholder per intended argument. Organizations should audit existing tool definitions and update them accordingly during upgrade testing. No workaround exists for versions prior to 1.1.2 other than completely rejecting all user-controlled tool_args inputs at the application boundary, which may not be feasible for legitimate use cases. For environments where immediate upgrade is blocked by the behavioral change, implement application-layer input validation to reject tool_args containing shell metacharacters (semicolons, pipes, backticks, dollar signs, newlines, ampersands), though this defense-in-depth measure is fragile and should only be temporary until proper upgrade. Review server logs for suspicious tool_args patterns that may indicate reconnaissance or exploitation attempts. Detailed patch implementation and migration guidance available in the GitHub advisory at the reference link above.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-45369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy