Skip to main content

python-utcp CVE-2026-45370

| EUVDEUVD-2026-30477 HIGH
Cleartext Storage of Sensitive Information in an Environment Variable (CWE-526)
2026-05-14 security-advisories@github.com GHSA-5v57-8rxj-3p2r
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
May 14, 2026 - 22:05 vuln.today
Analysis Generated
May 14, 2026 - 22:05 vuln.today
Patch available
May 14, 2026 - 22:02 EUVD
CVE Published
May 14, 2026 - 21:16 nvd
HIGH 7.7

DescriptionGitHub Advisory

python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single tool call. This vulnerability is fixed in 1.1.3.

AnalysisAI

python-utcp CLI subprocess environment passes all process-level secrets to every tool call. When chained with CVE-2026-45369 command injection, remote authenticated attackers with low-privilege LLM tool access can exfiltrate AWS credentials, API keys, database URLs, and other environment variables in a single HTTP request. Patch available in version 1.1.2 (NVD references 1.1.3 as fixed version). GitHub security advisory confirms proof-of-concept demonstrating credential theft via env dump to attacker-controlled endpoint.

Technical ContextAI

python-utcp implements the Universal Tool Calling Protocol for AI agents to invoke CLI tools. The vulnerable _prepare_environment() function in cli_communication_protocol.py unconditionally copies os.environ to subprocess execution environments. This violates CWE-526 (Cleartext Storage of Sensitive Information in Environmental Variables) by exposing secrets like AWS_SECRET_ACCESS_KEY, OPENAI_API_KEY, DATABASE_URL, and ANTHROPIC_API_KEY to every subprocess. Unix process inheritance model normally restricts environment visibility, but this implementation actively propagates the full parent environment. The CVSS Changed Scope (S:C) reflects that secrets from the host process (one security authority) leak into attacker-controlled subprocess contexts (different authority). Python's os.environ.copy() returns a mutable dictionary, so this isn't a reference issue but deliberate full replication. The fix introduces an explicit allowlist model (PATH, HOME, LANG on Unix; PATH, SYSTEMROOT on Windows) with opt-in inheritance via CliCallTemplate.inherit_env_vars, shifting from implicit-unsafe to explicit-safe design.

RemediationAI

Upgrade utcp-cli to version 1.1.2 or later (note: NVD references 1.1.3 as fixed version - verify with vendor advisory at https://github.com/universal-tool-calling-protocol/python-utcp/security/advisories/GHSA-5v57-8rxj-3p2r which confirms 1.1.2 contains the fix). Patch replaces os.environ.copy() with explicit allowlist model: default inherits only PATH/HOME/LANG (Unix) or PATH/SYSTEMROOT (Windows). Use CliCallTemplate.inherit_env_vars=[] for strict mode preventing all host environment inheritance. If immediate upgrade impossible, remove all sensitive credentials from process environment before starting python-utcp (store secrets in files with restricted permissions, key management services, or vaults). Trade-off: environment-based configuration is common in containerized deployments, so file-based secrets require application refactoring. Audit all CliCallTemplate definitions to ensure env_vars field contains only non-sensitive values. Block or heavily restrict access to CLI tool invocation endpoints if secrets cannot be removed from environment. This compensating control reduces attack surface but limits python-utcp functionality. Deploy network egress filtering to prevent subprocess HTTP callbacks, though sophisticated attackers can use DNS exfiltration or other covert channels.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-45370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy