DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-0933: Wrangling a Shell: Command Injection in Cloudflare's Deployment Tool

#security #cve #cybersecurity

Wrangling a Shell: Command Injection in Cloudflare's Deployment Tool

Vulnerability ID: CVE-2026-0933
CVSS Score: 7.7
Published: 2026-01-21

A high-severity command injection vulnerability in Cloudflare Wrangler's pages deploy command allows attackers to execute arbitrary code via a crafted commit hash argument.

TL;DR

Cloudflare Wrangler, the CLI for Workers and Pages, failed to sanitize the --commit-hash argument in the pages deploy command. By passing this input directly to a shell via execSync, the tool allowed attackers to escape the intended git command and execute arbitrary OS commands. This affects CI/CD pipelines particularly hard, potentially exposing API tokens and secrets. Fixed in versions 4.59.1 and 3.114.17.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78 (OS Command Injection)
  • CVSS v4.0: 7.7 (High)
  • Attack Vector: Network / Local (Context dependent)
  • EPSS Score: 0.51%
  • Exploit Status: POC Available
  • Vulnerable Function: execSync() in pages/deploy.ts

Affected Systems

  • Cloudflare Wrangler CLI
  • CI/CD Pipelines using Wrangler
  • GitHub Actions Runners
  • GitLab Runners
  • Wrangler: >= 4.0.0 < 4.59.1 (Fixed in: 4.59.1)
  • Wrangler: >= 3.0.0 < 3.114.17 (Fixed in: 3.114.17)
  • Wrangler: >= 2.0.15 < 3.0.0 (Fixed in: N/A (EOL))

Code Analysis

Commit: 99b1f32

fix: execute git commands in pages deploy safely

-commitMessage = execSync(`git show -s --format=%B ${commitHash}`)
+commitMessage = execFileSync("git", ["show", "-s", "--format=%B", commitHash])
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Analysis: Command injection via unescaped shell metacharacters in commit hash argument.

Mitigation Strategies

  • Input Sanitization
  • Use of execFile over exec
  • Principle of Least Privilege

Remediation Steps:

  1. Identify all projects using wrangler in CI/CD pipelines.
  2. Update wrangler to version 4.59.1+ or 3.114.17+ via npm or yarn.
  3. Rotate any Cloudflare API tokens that were exposed to CI environments prior to the patch.
  4. Audit recent deployments for unexpected file changes or large diffs.

References

Read the full report for CVE-2026-0933 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)