GHSA-c4m7-2gwp-vw76

Source

https://github.com/advisories/GHSA-c4m7-2gwp-vw76

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c4m7-2gwp-vw76/GHSA-c4m7-2gwp-vw76.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c4m7-2gwp-vw76

Aliases

CVE-2026-47211

Published

2026-05-29T21:22:41Z

Modified

2026-05-29T21:30:08.210416635Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

ouroboros-ai Vulnerable to Remote Code Execution via Untrusted Project-Directory .env

Details

Impact

A Remote Code Execution (RCE) vulnerability was discovered in Ouroboros. If a user clones a malicious repository and runs Ouroboros commands within that directory, it can lead to arbitrary code execution and potential system takeover.

The vulnerability (CWE-426: Untrusted Search Path & CWE-15: External Control of System Setting) stems from Ouroboros loading the .env file from the current working directory. Prior to the patch, execution-affecting environment variables such as OUROBOROS_CLI_PATH, OPENCODE_CLI_PATH, and other backend selectors were accepted directly from this local .env. An attacker could include a malicious script in the repository and point the CLI path variable to it (e.g., OUROBOROS_CLI_PATH=./malicious_script.sh). When the user executes a command like ouroboros init or any command that instantiates the adapter, the malicious script is executed instead of the intended CLI.

Patches

The vulnerability has been patched in version 0.39.0 via PR #1078. The fix establishes a strict trust boundary by applying a denylist to project-local .env loading. It blocks execution-affecting environment variables (such as runtime selectors and CLI path overrides) from being loaded from the project directory. Explicit constructor overrides and trusted user-owned home configurations (~/.ouroboros/.env) remain fully functional.

Users are strongly advised to upgrade to version 0.39.0 or later.

Workarounds

If upgrading is not immediately possible, users must carefully inspect any .env file inside cloned repositories before running Ouroboros commands to ensure it does not contain unexpected OUROBOROS_*_CLI_PATH or OPENCODE_CLI_PATH overrides.

References

GitHub PR: https://github.com/Q00/ouroboros/pull/1078

Database specific

{
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-426"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T21:22:41Z"
}

References

Affected packages

PyPI / ouroboros-ai

Package

Name: ouroboros-ai; View open source insights on deps.dev
Purl: pkg:pypi/ouroboros-ai

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.39.0

Affected versions

0.*

0.1.0a1

0.1.0

0.1.1

0.2.0

0.2.1

0.2.2

0.2.3

0.3.0

0.4.0

0.4.1

0.5.0

0.5.1

0.6.0

0.7.0

0.8.0

0.9.0

0.10.0

0.11.0

0.11.1

0.12.0

0.12.1

0.12.2

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.13.6

0.13.7

0.14.0

0.14.1

0.15.0

0.16.0

0.17.0

0.18.0

0.18.1

0.19.0

0.19.1

0.20.0

0.21.0

0.21.1

0.22.0

0.23.0

0.23.1

0.23.2

0.24.0

0.25.0

0.25.1

0.25.2.dev2

0.25.2.dev3

0.25.2.dev4

0.25.2.dev78

0.25.2.dev79

0.25.2

0.25.3.dev1

0.25.3.dev2

0.25.3.dev3

0.25.3.dev87

0.25.3.dev88

0.25.3.dev89

0.25.3.dev90

0.25.3.dev91

0.25.3.dev93

0.25.3.dev94

0.25.3.dev95

0.25.3.dev96

0.25.3.dev97

0.25.3.dev98

0.26.0b1

0.26.0b2

0.26.0b3

0.26.0b4

0.26.0b5.dev1

0.26.0b5.dev2

0.26.0b5.dev3

0.26.0b5.dev6

0.26.0b5

0.26.0b6.dev1

0.26.0b7.dev0

0.26.0b7

0.26.0b8.dev1

0.26.0

0.26.1.dev1

0.26.1.dev2

0.26.1.dev3

0.26.1.dev6

0.26.1

0.26.2.dev21

0.26.2.dev26

0.26.2.dev28

0.26.2.dev29

0.26.2.dev32

0.26.2.dev33

0.26.2.dev34

0.26.2.dev35

0.26.2.dev36

0.26.2.dev37

0.26.2.dev38

0.26.2

0.26.3.dev1

0.26.3.dev2

0.26.3.dev3

0.26.3

0.26.4.dev1

0.26.4

0.26.5.dev1

0.26.5.dev2

0.26.5.dev3

0.26.5.dev4

0.26.5.dev5

0.26.5.dev6

0.26.5.dev7

0.26.5.dev8

0.26.5.dev9

0.26.5.dev10

0.26.5.dev11

0.26.5

0.26.6.dev1

0.26.6.dev2

0.26.6

0.26.7.dev1

0.26.7.dev2

0.26.7.dev3

0.26.7.dev4

0.26.7.dev5

0.26.7.dev6

0.26.7.dev7

0.27.0

0.27.1.dev1

0.27.1.dev2

0.27.1.dev3

0.27.1.dev4

0.27.1.dev5

0.27.1.dev6

0.27.1.dev7

0.27.1.dev8

0.27.1.dev9

0.27.1.dev10

0.27.1

0.27.2.dev1

0.27.2.dev2

0.27.2

0.27.3.dev1

0.27.3.dev2

0.27.3.dev3

0.27.3.dev4

0.27.3.dev5

0.27.3.dev6

0.27.3.dev7

0.27.3.dev8

0.28.0

0.28.1.dev1

0.28.1.dev2

0.28.1.dev3

0.28.1.dev4

0.28.1.dev5

0.28.1

0.28.2.dev1

0.28.2.dev2

0.28.2.dev3

0.28.2

0.28.3.dev1

0.28.3.dev2

0.28.3.dev3

0.28.3.dev4

0.28.3.dev5

0.28.3.dev6

0.28.3.dev7

0.28.3.dev8

0.28.3

0.28.4.dev1

0.28.4.dev2

0.28.4

0.28.5.dev1

0.28.5.dev6

0.28.5.dev9

0.28.5

0.28.6.dev2

0.28.6.dev3

0.28.6.dev4

0.28.6.dev5

0.28.6.dev6

0.28.6.dev7

0.28.6.dev8

0.28.6.dev9

0.28.6

0.28.7.dev4

0.28.7.dev6

0.28.7.dev7

0.28.7.dev8

0.28.7.dev9

0.28.7.dev13

0.28.7.dev15

0.28.7.dev17

0.28.7.dev21

0.28.7.dev22

0.28.7.dev25

0.28.7.dev26

0.28.7.dev27

0.28.7.dev28

0.28.7.dev29

0.28.7.dev34

0.28.7.dev37

0.28.7.dev39

0.28.7.dev40

0.28.7

0.28.8.dev1

0.28.8.dev4

0.28.8.dev7

0.28.8.dev9

0.28.8.dev12

0.28.8.dev13

0.28.8.dev14

0.28.8.dev15

0.28.8

0.28.9.dev26

0.28.9.dev31

0.28.9.dev33

0.28.9.dev36

0.28.9.dev79

0.29.0

0.29.1.dev1

0.29.1.dev4

0.29.1.dev8

0.29.1.dev9

0.29.1

0.29.2.dev1

0.29.2.dev2

0.29.2.dev3

0.29.2

0.29.3.dev5

0.29.3.dev6

0.29.3.dev23

0.29.3.dev27

0.29.3.dev29

0.29.3.dev32

0.29.3.dev34

0.29.3.dev37

0.29.3.dev38

0.29.3.dev49

0.29.3.dev50

0.30.0

0.30.1.dev4

0.30.1.dev5

0.30.1.dev7

0.30.1.dev11

0.30.1.dev13

0.31.0

0.31.1.dev1

0.31.1.dev2

0.31.1.dev3

0.31.1.dev4

0.31.1.dev5

0.31.1.dev6

0.31.1.dev9

0.31.1.dev19

0.31.1

0.31.2.dev11

0.31.2.dev12

0.31.2.dev13

0.31.2.dev14

0.31.2.dev15

0.31.2.dev16

0.31.2.dev17

0.31.2.dev18

0.31.2.dev19

0.31.2.dev20

0.31.2.dev21

0.31.2.dev22

0.31.2.dev23

0.31.2.dev24

0.31.2.dev25

0.31.2.dev26

0.31.2.dev27

0.31.2.dev28

0.31.2.dev29

0.31.2.dev31

0.31.2.dev36

0.31.2.dev39

0.32.0

0.32.1.dev1

0.32.1.dev2

0.32.1.dev12

0.32.1.dev17

0.32.1.dev24

0.32.1.dev25

0.32.1.dev26

0.32.1.dev27

0.32.1.dev28

0.32.1.dev29

0.32.1.dev30

0.32.1.dev31

0.32.1.dev32

0.32.1.dev52

0.32.1.dev63

0.32.1.dev64

0.32.1.dev66

0.32.1.dev75

0.32.1.dev78

0.32.1.dev109

0.32.1.dev113

0.33.0

0.33.1.dev1

0.33.1.dev6

0.33.1.dev7

0.33.1.dev19

0.33.1.dev20

0.33.1.dev25

0.33.1.dev30

0.33.1.dev31

0.33.1.dev32

0.33.1.dev33

0.33.1.dev36

0.33.1.dev42

0.33.1.dev48

0.33.1.dev50

0.33.1.dev54

0.33.1.dev55

0.33.1.dev56

0.33.1.dev57

0.33.1.dev58

0.33.1.dev59

0.33.1.dev60

0.33.1.dev61

0.33.1.dev64

0.33.1.dev65

0.33.1.dev66

0.33.1.dev68

0.33.1.dev73

0.33.1.dev76

0.33.1.dev85

0.33.1.dev92

0.33.1.dev96

0.33.1.dev123

0.33.1.dev125

0.33.1.dev129

0.33.1.dev132

0.33.1.dev133

0.33.1.dev134

0.34.0

0.34.1.dev1

0.34.1.dev2

0.34.1.dev3

0.34.1.dev4

0.34.1.dev5

0.34.1.dev8

0.34.1.dev9

0.34.1.dev10

0.34.1.dev11

0.34.1.dev12

0.35.0

0.35.1.dev1

0.35.1.dev2

0.35.1.dev3

0.35.1.dev4

0.35.1.dev5

0.35.1.dev6

0.35.1.dev7

0.35.1.dev8

0.35.1.dev9

0.35.1.dev10

0.35.1.dev11

0.35.1.dev12

0.35.1.dev13

0.35.1.dev14

0.35.1.dev15

0.35.1.dev16

0.35.1.dev17

0.35.1.dev18

0.35.1.dev19

0.35.1.dev20

0.35.1.dev21

0.35.1.dev22

0.35.1.dev23

0.35.1.dev24

0.35.1.dev25

0.35.1.dev26

0.35.1.dev27

0.35.1.dev28

0.35.1.dev32

0.35.1.dev33

0.36.0

0.36.1.dev1

0.36.1.dev2

0.36.1.dev3

0.36.1.dev4

0.36.1.dev5

0.36.1.dev6

0.36.1.dev7

0.36.1.dev8

0.36.1.dev9

0.36.1.dev10

0.36.1.dev11

0.36.1.dev12

0.36.1.dev13

0.36.1.dev14

0.36.1.dev15

0.36.1.dev16

0.36.1.dev17

0.36.1.dev18

0.36.1.dev19

0.36.1.dev20

0.36.1.dev21

0.36.1.dev22

0.36.1.dev23

0.36.1.dev24

0.36.1.dev25

0.36.1.dev26

0.36.1.dev27

0.36.1.dev28

0.36.1.dev29

0.36.1.dev30

0.36.1.dev31

0.36.1.dev32

0.36.1.dev33

0.36.1.dev34

0.36.1.dev36

0.36.1.dev41

0.36.1.dev49

0.36.1.dev50

0.36.1.dev51

0.36.1.dev52

0.36.1.dev53

0.36.1.dev54

0.36.1.dev55

0.36.1.dev56

0.36.1.dev57

0.36.1.dev58

0.36.1.dev59

0.36.1.dev60

0.36.1.dev61

0.36.1.dev62

0.36.1.dev63

0.36.1.dev64

0.36.1.dev65

0.36.1.dev66

0.36.1.dev67

0.36.1.dev68

0.36.1.dev69

0.36.1.dev70

0.36.1.dev71

0.37.0

0.37.1.dev1

0.37.1.dev2

0.37.1.dev3

0.37.1.dev4

0.37.1.dev5

0.37.1.dev6

0.37.1.dev7

0.37.1.dev8

0.37.1.dev9

0.37.1.dev10

0.37.1.dev11

0.37.1.dev12

0.37.1.dev13

0.37.1.dev14

0.37.1.dev15

0.37.1.dev16

0.37.1.dev17

0.37.1.dev18

0.37.1.dev19

0.37.1.dev20

0.37.1.dev21

0.37.1.dev22

0.37.1.dev23

0.37.1.dev24

0.37.1.dev25

0.37.1.dev26

0.37.1.dev27

0.37.1.dev28

0.37.1.dev29

0.37.1.dev30

0.37.1.dev31

0.37.1.dev32

0.37.1.dev33

0.37.1.dev34

0.37.1.dev35

0.37.1.dev36

0.37.1.dev37

0.37.1.dev38

0.37.1.dev39

0.37.1.dev40

0.37.1.dev50

0.37.1.dev51

0.38.0

0.38.1.dev1

0.38.1.dev2

0.38.1.dev3

0.38.1.dev4

0.38.1

0.38.2.dev3

0.38.2

0.38.3.dev1

0.38.3.dev2

0.38.3.dev3

0.38.3.dev4

0.38.3.dev5

0.38.3.dev6

0.38.3.dev7

0.38.3.dev8

0.38.3.dev9

0.38.3.dev10

0.38.3.dev11

0.38.3.dev12

0.38.3.dev13

0.38.3.dev14

0.38.3.dev15

0.38.3.dev16

0.38.3.dev17

0.38.3.dev18

0.38.3.dev19

0.38.3.dev20

0.38.3.dev21

0.38.3.dev22

0.38.3.dev23

0.38.3.dev24

0.38.3.dev25

0.38.3.dev26

0.38.3.dev27

0.38.3.dev28

0.38.3.dev29

0.38.3.dev30

0.38.3.dev31

0.38.3.dev33

0.38.3.dev41

0.38.3.dev43

0.38.3.dev44

0.38.3.dev45

0.38.3.dev46

0.38.3.dev47

0.38.3.dev48

0.38.3.dev49

0.38.3.dev50

0.38.3.dev51

0.38.3.dev52

0.38.3.dev53

0.38.3.dev54

0.38.3.dev55

0.38.3.dev56

0.38.3.dev57

0.38.3.dev60

0.38.3.dev66

0.38.3.dev76

0.38.3.dev86

0.38.3.dev89

0.38.3.dev91

0.38.3.dev93

0.38.3.dev94

0.38.3.dev98

0.38.3.dev99

0.38.3.dev100

0.38.3.dev101

0.38.3.dev102

0.38.3.dev103

0.38.3.dev104

0.38.3.dev105

0.38.3.dev106

0.38.3.dev107

0.38.3.dev108

0.38.3.dev109

0.38.3.dev110

0.38.3.dev111

0.38.3.dev112

0.38.3.dev113

0.38.3.dev114

0.38.3.dev115

0.38.3.dev116

0.38.3.dev117

0.38.3.dev118

0.38.3.dev119

0.38.3.dev120

0.38.3.dev121

0.38.3.dev122

0.38.3.dev123

0.38.3.dev124

0.38.3.dev125

0.38.3.dev126

0.38.3.dev127

0.38.3.dev128

0.38.3.dev129

0.38.3.dev130

0.38.3.dev131

0.38.3.dev132

0.38.3.dev133

0.38.3.dev134

0.38.3.dev135

0.38.3.dev136

0.38.3.dev137

0.38.3.dev138

0.38.3.dev139

0.38.3.dev140

0.38.3.dev141

0.38.3.dev142

0.38.3.dev143

0.38.3.dev144

0.38.3.dev145

0.38.3.dev146

0.38.3.dev147

0.38.3.dev148

0.38.3.dev149

0.38.3.dev150

0.38.3.dev151

0.38.3.dev152

0.38.3.dev153

0.38.3.dev154

0.38.3.dev155

0.38.3.dev156

0.38.3.dev157

0.38.3.dev158

0.38.3.dev159

0.38.3.dev160

0.38.3.dev161

0.38.3.dev162

0.38.3.dev163

0.38.3.dev164

0.38.3.dev165

0.38.3.dev166

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c4m7-2gwp-vw76/GHSA-c4m7-2gwp-vw76.json"