CVE-2026-35533: Arbitrary Code Execution via Trust Bypass in mise Configuration Parsing
Vulnerability ID: CVE-2026-35533
CVSS Score: 7.8
Published: 2026-04-07
The mise development tool manager is vulnerable to a local arbitrary code execution flaw due to improper access control during configuration parsing. An attacker can bypass the file trust mechanism by supplying a malicious .mise.toml that overrides the trusted_config_paths directive, leading to the automatic execution of embedded shell commands.
TL;DR
A logic flaw in mise versions 2026.2.18 through 2026.4.5 allows untrusted local configuration files to mark themselves as trusted. This bypasses security prompts and enables arbitrary code execution when a victim interacts with a malicious repository.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-284
- Attack Vector: Local
- CVSS v3.1: 7.8
- Impact: Arbitrary Code Execution
- Exploit Status: PoC Available
Affected Systems
- mise development tool manager
-
mise: 2026.2.18 - 2026.4.5 (Fixed in:
2026.4.6)
Code Analysis
Commit: 37997e7
Fix trust bypass vulnerability in config parsing
Exploit Details
- Security Advisory PoC: Proof of concept demonstrating local arbitrary code execution via manipulated trust paths.
Mitigation Strategies
- Upgrade mise to version 2026.4.6 or later
- Audit global configuration for unauthorized trusted paths
- Review untrusted repositories before cloning
Remediation Steps:
- Execute
mise self-updateto install the latest patched version. - Verify the installation by running
mise --version. - Inspect
~/.config/mise/config.tomlfor anomalies in thetrusted_config_pathslist.
References
Read the full report for CVE-2026-35533 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)