GHSA-JV2H-4P9V-WF5W: GHSA-JV2H-4P9V-WF5W: Arbitrary Remote Code Execution via Incomplete Environment Denylist in Ouroboros AI

GHSA-JV2H-4P9V-WF5W: Arbitrary Remote Code Execution via Incomplete Environment Denylist in Ouroboros AI

Vulnerability ID: GHSA-JV2H-4P9V-WF5W
CVSS Score: 8.8
Published: 2026-06-19

An arbitrary Remote Code Execution (RCE) vulnerability exists in ouroboros-ai due to an incomplete fix for CVE-2026-47211. Ouroboros automatically loads environment configurations from local .env files located in the current working directory (CWD) of cloned repositories. Although a denylist (_UNTRUSTED_ENV_DENYLIST) was introduced in version 0.39.0 to filter out execution-routing environment variables, multiple critical configuration variables were omitted, enabling complete sandbox bypass and arbitrary system command execution.

TL;DR

Ouroboros AI is vulnerable to arbitrary remote code execution via untrusted environment variables and working directory configurations, allowing attackers to run arbitrary system commands by getting a user to execute Ouroboros inside a cloned repository.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Type: CWE-426: Untrusted Search Path / CWE-15: External Control of System Configuration
• Affected Component: Environment Staging & MCP Bridge Configuration
• Attack Vector: Network / File system parsing
• Exploit Status: Proof of Concept (PoC) available
• Impact: Remote Code Execution (RCE)
• CISA KEV Status: Not Listed

Affected Systems

• Ouroboros AI systems utilizing command-line runtimes and local directory loading.
• ouroboros-ai: < 0.42.1 (Fixed in: 0.42.1)

Code Analysis

Commit: 4e70b76

Mitigate untrusted environment overrides in loader

Exploit Details

• GitHub Security Advisory: PoC demonstrating RCE via CODEX_HOME redirection and custom config.toml files.

Mitigation Strategies

• Update ouroboros-ai to version 0.42.1 or newer.
• Avoid running Ouroboros commands inside untrusted workspace directories.
• Implement environment-level locks to ignore local .env variables in sensitive workspaces.

Remediation Steps:

1. Check the installed version of ouroboros-ai using pip: pip show ouroboros-ai.
2. Upgrade the dependency package: pip install --upgrade ouroboros-ai>=0.42.1.
3. Remove manual .env files from current working directories before invoking command-line tooling.

References

• GitHub Security Advisory GHSA-jv2h-4p9v-wf5w
• Ouroboros Source Repository
• Fix Pull Request 1078

---

Read the full report for GHSA-JV2H-4P9V-WF5W on our website for more details including interactive diagrams and full exploit analysis.