CVE-2026-45369: OS Command Injection in python-utcp CLI Protocol
Vulnerability ID: CVE-2026-45369
CVSS Score: 10.0
Published: 2026-05-14
CVE-2026-45369 is a critical OS command injection vulnerability in the python-utcp library resulting from unsafe argument substitution in the CLI communication protocol. Unauthenticated attackers can execute arbitrary shell commands via specially crafted tool arguments.
TL;DR
A command injection flaw in python-utcp's CLI protocol allows attackers to execute arbitrary commands by supplying unescaped shell arguments during tool invocation.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-78: OS Command Injection
- Attack Vector: Network
- CVSS Score: 10.0 (Critical)
- Impact: Remote Code Execution
- Exploit Status: Proof of Concept Available
- KEV Status: Not Listed
Affected Systems
- Linux
- macOS
- Windows
-
python-utcp (utcp-cli): < 1.1.2 (Fixed in:
1.1.2)
Mitigation Strategies
- Upgrade
utcp-clito version 1.1.2 or higher. - Implement strict input validation and allowlisting on all tool arguments.
- Refactor tool definitions to avoid relying on multi-argument expansion from a single placeholder.
- Run the python-utcp process in a hardened container with minimal privileges.
Remediation Steps:
- Identify all deployments of
python-utcpandutcp-cliwithin your environment. - Update the dependencies via your package manager (
pip install --upgrade utcp-cli>=1.1.2). - Review existing UTCP tool configurations to ensure no single
UTCP_ARGplaceholder is used to pass multiple arguments. - Restart the affected services to ensure the patched library is loaded into memory.
- Monitor process creation events for anomalous shell activity originating from the python service.
References
Read the full report for CVE-2026-45369 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)