What is the CVSS score of CVE-2026-45370?

CVE-2026-45370 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of python-utcp are affected by CVE-2026-45370?

CVE-2026-45370 in python-utcp allows authenticated attackers to exfiltrate sensitive credentials (AWS keys, API tokens, database URLs) from process environment variables through a subprocess flaw.. A patch is available.

Is there a public PoC exploit available for CVE-2026-45370?

Yes, a public proof-of-concept exploit is available for CVE-2026-45370. Prioritise patching immediately. EPSS: 0.0%.

python-utcp CVE-2026-45370

EUVD-2026-30477 HIGH

Cleartext Storage of Sensitive Information in an Environment Variable (CWE-526)

2026-05-14 security-advisories@github.com

GHSA-5v57-8rxj-3p2r

Python Information Disclosure

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 14, 2026 - 22:05 vuln.today

Analysis Generated

May 14, 2026 - 22:05 vuln.today

Patch available

May 14, 2026 - 22:02 EUVD

CVE Published

May 14, 2026 - 21:16 nvd

HIGH 7.7

DescriptionNVD

python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single tool call. This vulnerability is fixed in 1.1.3.

AnalysisAI

python-utcp CLI subprocess environment passes all process-level secrets to every tool call. When chained with CVE-2026-45369 command injection, remote authenticated attackers with low-privilege LLM tool access can exfiltrate AWS credentials, API keys, database URLs, and other environment variables in a single HTTP request. …

RemediationAI

Within 24 hours: inventory all deployments of python-utcp and identify instances accessible to LLM tools or low-privilege users. Within 7 days: upgrade python-utcp to version 1.1.2 or later (NVD references 1.1.3 as fixed) across all affected systems; validate environment variable isolation post-patch. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45370 vulnerability details – vuln.today

Back

python-utcp CVE-2026-45370

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code