Severity by source
AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as [env] _.source, templates, hooks, or tasks.
The strongest current variant is trusted_config_paths = ["/"]. I confirmed on current v2026.3.17 in Docker that this causes an untrusted project config to become trusted during mise hook-env, which then executes an attacker-controlled _.source script. The same preload issue also lets local yes = true / ci = true auto-approve trust prompts on v2026.2.18+, but the primary PoC below uses the stronger trusted_config_paths path.
Details
The vulnerable load order is:
Settings::try_get()preloads local settings files.parse_settings_file()returnssettings_file.settingswithout checking whether the file is trusted.trust_check()later consults those already-loaded settings.
The main trust-bypass path is in is_trusted():
let settings = Settings::get();
for p in settings.trusted_config_paths() {
if canonicalized_path.starts_with(p) {
add_trusted(canonicalized_path.to_path_buf());
return true;
}
}If a local project file sets:
[settings]
trusted_config_paths = ["/"]then every absolute path matches, so the same untrusted file is marked trusted before the dangerous-directive guard is reached.
Related variant: trust_check() auto-accepts explicit trust prompts when Settings::get().yes is true, and Settings::try_get() sets yes = true when ci is set. I confirmed that regression on v2026.2.18, but the primary PoC below does not depend on it.
PoC
Test environment:
- Docker
linux-arm64mise v2026.3.17
Negative control:
[env]
_.source = ["./poc.sh"]mise ls fails with:
Config files in /work/poc/.mise.toml are not trusted.and /tmp/mise-proof.txt is not created.
Primary exploit:
[settings]
trusted_config_paths = ["/"]
[env]
_.source = ["./poc.sh"]with:
#!/usr/bin/env bash
echo trusted_paths_hookenv > /tmp/mise-proof.txtThen:
mise hook-env -s bash --forceObserved:
/tmp/mise-proof.txt => trusted_paths_hookenvRelated regression check:
v2026.2.17: localyes = truedoes not bypass trustv2026.2.18: the same localyes = truevalue auto-approves the trust prompt and the side effect file is created
Impact
An attacker who can place a .mise.toml in a repository can make mise trust and evaluate dangerous directives from that same untrusted file.
Demonstrated on current supported versions:
- execution via
[env] _.sourceduringmise hook-env - bypass of the protection that
mise trustis supposed to provide for dangerous config features
On newer versions, the same root cause also lets local yes / ci values auto-approve explicit trust prompts.
Suggested Fix
Do not honor trust-control settings from non-global project config files.
At minimum, ignore these fields when loading local project config:
trusted_config_pathsyesciparanoid
For example:
pub fn parse_settings_file(path: &Path) -> Result<SettingsPartial> {
let raw = file::read_to_string(path)?;
let settings_file: SettingsFile = toml::from_str(&raw)?;
let mut settings = settings_file.settings;
if !config::is_global_config(path) {
settings.yes = None;
settings.ci = None;
settings.trusted_config_paths = None;
settings.paranoid = None;
}
Ok(settings)
}AnalysisAI
Local trust-control bypass in mise (Rust task runner) versions ≤2026.3.17 allows attackers to inject malicious configuration through .mise.toml files, leading to arbitrary code execution. By setting trusted_config_paths = ["/"] in a project-local config file, attackers bypass the trust verification mechanism that should prevent execution of dangerous directives like [env] _.source, hooks, templates, and tasks. Exploitation requires victim interaction (cloning/opening a malicious repository), but no authentication. EPSS data not available; no confirmed active exploitation or public exploit code beyond the GitHub advisory's proof-of-concept. Attack complexity is high due to the requirement for victim action and specific execution context (mise hook-env invocation).
Technical ContextAI
The vulnerability stems from a time-of-check-to-time-of-use (TOCTOU) race in mise's configuration loading sequence. The Settings::try_get() function preloads local .mise.toml settings files before trust_check() validates whether the configuration source should be trusted. The is_trusted() function consults Settings::get().trusted_config_paths() to determine if a config file is in a trusted location, but this setting has already been populated from the untrusted local file itself. This creates a circular trust: the attacker-controlled .mise.toml defines its own trust boundary (e.g., trusted_config_paths = ["/"] to trust all absolute paths), which is then used to validate that same file. The CWE-284 (Improper Access Control) classification reflects this failure to enforce consistent trust boundaries across configuration sources. Additional regression variants allow local yes=true or ci=true settings to auto-approve trust prompts introduced in v2026.2.18, though the primary exploit path works across all versions through v2026.3.17.
RemediationAI
Upgrade to the patched version of mise once released by the vendor. The upstream GitHub advisory at github.com/jdx/mise/security/advisories/GHSA-436v-8fw5-4mj8 should be monitored for patch availability and the specific fixed version number. The suggested fix involves modifying the parse_settings_file() function to strip trust-control fields (trusted_config_paths, yes, ci, paranoid) from non-global configuration sources before they are used in trust validation. Until a patch is available, mitigation strategies include: manually auditing .mise.toml files in untrusted repositories before running mise commands; restricting mise usage to trusted codebases only; implementing organizational policies requiring code review of .mise.toml changes; and avoiding automatic mise hook-env execution in shell initialization when working with untrusted projects. Consider temporarily disabling mise shell integration (removing mise activate from shell profiles) and using explicit mise trust commands only after manual configuration review. Organizations should inventory all systems with mise installed and prepare for coordinated patching once the fix is released.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19952
GHSA-436v-8fw5-4mj8