Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single tool call. This vulnerability is fixed in 1.1.3.
AnalysisAI
python-utcp CLI subprocess environment passes all process-level secrets to every tool call. When chained with CVE-2026-45369 command injection, remote authenticated attackers with low-privilege LLM tool access can exfiltrate AWS credentials, API keys, database URLs, and other environment variables in a single HTTP request. Patch available in version 1.1.2 (NVD references 1.1.3 as fixed version). GitHub security advisory confirms proof-of-concept demonstrating credential theft via env dump to attacker-controlled endpoint.
Technical ContextAI
python-utcp implements the Universal Tool Calling Protocol for AI agents to invoke CLI tools. The vulnerable _prepare_environment() function in cli_communication_protocol.py unconditionally copies os.environ to subprocess execution environments. This violates CWE-526 (Cleartext Storage of Sensitive Information in Environmental Variables) by exposing secrets like AWS_SECRET_ACCESS_KEY, OPENAI_API_KEY, DATABASE_URL, and ANTHROPIC_API_KEY to every subprocess. Unix process inheritance model normally restricts environment visibility, but this implementation actively propagates the full parent environment. The CVSS Changed Scope (S:C) reflects that secrets from the host process (one security authority) leak into attacker-controlled subprocess contexts (different authority). Python's os.environ.copy() returns a mutable dictionary, so this isn't a reference issue but deliberate full replication. The fix introduces an explicit allowlist model (PATH, HOME, LANG on Unix; PATH, SYSTEMROOT on Windows) with opt-in inheritance via CliCallTemplate.inherit_env_vars, shifting from implicit-unsafe to explicit-safe design.
RemediationAI
Upgrade utcp-cli to version 1.1.2 or later (note: NVD references 1.1.3 as fixed version - verify with vendor advisory at https://github.com/universal-tool-calling-protocol/python-utcp/security/advisories/GHSA-5v57-8rxj-3p2r which confirms 1.1.2 contains the fix). Patch replaces os.environ.copy() with explicit allowlist model: default inherits only PATH/HOME/LANG (Unix) or PATH/SYSTEMROOT (Windows). Use CliCallTemplate.inherit_env_vars=[] for strict mode preventing all host environment inheritance. If immediate upgrade impossible, remove all sensitive credentials from process environment before starting python-utcp (store secrets in files with restricted permissions, key management services, or vaults). Trade-off: environment-based configuration is common in containerized deployments, so file-based secrets require application refactoring. Audit all CliCallTemplate definitions to ensure env_vars field contains only non-sensitive values. Block or heavily restrict access to CLI tool invocation endpoints if secrets cannot be removed from environment. This compensating control reduces attack surface but limits python-utcp functionality. Deploy network egress filtering to prevent subprocess HTTP callbacks, though sophisticated attackers can use DNS exfiltration or other covert channels.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30477
GHSA-5v57-8rxj-3p2r