Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Unix) or powershell.exe -Command (Windows), allowing an attacker to inject arbitrary shell commands. This vulnerability is fixed in 1.1.3.
AnalysisAI
Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.
Technical ContextAI
Python-utcp is a Python implementation of the Universal Tool Calling Protocol, providing a CLI communication interface for executing external tools with parameterized arguments. The vulnerability resides in the cli_communication_protocol.py module's _substitute_utcp_args method, which performs string interpolation of UTCP_ARG_..._UTCP_END placeholders within shell command templates. The affected code path invokes /bin/bash -c on Unix systems and powershell.exe -Command on Windows to execute dynamically constructed scripts containing user-supplied values. This represents a classic CWE-78 OS Command Injection flaw where metacharacters (semicolons, pipes, backticks, command substitution operators) in tool_args parameters are interpreted as shell syntax rather than literal data. The CPE pip/utcp-cli indicates this is a PyPI-distributed package affecting versions through 1.1.1. The fix in 1.1.2 applies language-appropriate quoting primitives (Python's shlex.quote for POSIX shells, custom PowerShell single-quote escaping for Windows) to ensure each placeholder expands to exactly one shell token, preventing metacharacter interpretation.
RemediationAI
Upgrade to utcp-cli version 1.1.2 or later immediately, available via PyPI (pip install --upgrade utcp-cli). The patched version applies shell-quoting to all UTCP_ARG placeholder substitutions using shlex.quote on Unix and PowerShell-safe single-quote literals on Windows, ensuring each placeholder expands to exactly one shell token. Critical behavioral change: tool definitions that previously relied on a single placeholder expanding to multiple shell tokens (e.g., UTCP_ARG_flags_UTCP_END expanding to --verbose --debug) must be refactored to use one placeholder per intended argument. Organizations should audit existing tool definitions and update them accordingly during upgrade testing. No workaround exists for versions prior to 1.1.2 other than completely rejecting all user-controlled tool_args inputs at the application boundary, which may not be feasible for legitimate use cases. For environments where immediate upgrade is blocked by the behavioral change, implement application-layer input validation to reject tool_args containing shell metacharacters (semicolons, pipes, backticks, dollar signs, newlines, ampersands), though this defense-in-depth measure is fragile and should only be temporary until proper upgrade. Review server logs for suspicious tool_args patterns that may indicate reconnaissance or exploitation attempts. Detailed patch implementation and migration guidance available in the GitHub advisory at the reference link above.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30475
GHSA-33p6-5jxp-p3x4