{"uuid": "3fdcd5c2-bd3a-4cda-acee-f207b5be2c8d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45369", "type": "seen", "source": "https://gist.github.com/alon710/f627229667d4bc68a14db2ecccec0ef9", "content": "# CVE-2026-45369: CVE-2026-45369: OS Command Injection in python-utcp CLI Protocol\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-05-14\n> **Full Report:** https://cvereports.com/reports/CVE-2026-45369\n\n## Summary\nCVE-2026-45369 is a critical OS command injection vulnerability in the python-utcp library resulting from unsafe argument substitution in the CLI communication protocol. Unauthenticated attackers can execute arbitrary shell commands via specially crafted tool arguments.\n\n## TL;DR\nA command injection flaw in python-utcp's CLI protocol allows attackers to execute arbitrary commands by supplying unescaped shell arguments during tool invocation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE**: CWE-78: OS Command Injection\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Impact**: Remote Code Execution\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Linux\n- macOS\n- Windows\n- **python-utcp (utcp-cli)**: < 1.1.2 (Fixed in: `1.1.2`)\n\n## Mitigation\n\n- Upgrade `utcp-cli` to version 1.1.2 or higher.\n- Implement strict input validation and allowlisting on all tool arguments.\n- Refactor tool definitions to avoid relying on multi-argument expansion from a single placeholder.\n- Run the python-utcp process in a hardened container with minimal privileges.\n\n**Remediation Steps:**\n1. Identify all deployments of `python-utcp` and `utcp-cli` within your environment.\n2. Update the dependencies via your package manager (`pip install --upgrade utcp-cli>=1.1.2`).\n3. Review existing UTCP tool configurations to ensure no single `UTCP_ARG` placeholder is used to pass multiple arguments.\n4. Restart the affected services to ensure the patched library is loaded into memory.\n5. Monitor process creation events for anomalous shell activity originating from the python service.\n\n## References\n\n- [GitHub Advisory](https://github.com/universal-tool-calling-protocol/python-utcp/security/advisories/GHSA-33p6-5jxp-p3x4)\n- [Project Repository](https://github.com/universal-tool-calling-protocol/python-utcp)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-45369)\n- [NVD Record](https://nvd.nist.gov/vuln/detail/CVE-2026-45369)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-45369) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-14T22:40:29.000000Z"}