GHSA-q38v-wp89-2w55

Suggest an improvement
Source
https://github.com/advisories/GHSA-q38v-wp89-2w55
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-q38v-wp89-2w55/GHSA-q38v-wp89-2w55.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q38v-wp89-2w55
Aliases
  • CVE-2026-54552
Published
2026-07-17T18:41:38Z
Modified
2026-07-17T18:45:52.928226986Z
Severity
  • 7.9 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
sh _uid does not drop supplementary groups (incomplete privilege drop)
Details

Impact

The _uid option performed an incomplete privilege drop on Linux/Unix-like systems.

When sh was run from a process with elevated privileges, such as root, and a command was launched with _uid=<unprivileged user>, the child process changed its UID and primary GID but did not reset its supplementary groups. As a result, the child process could retain the parent process’s supplementary groups, potentially including privileged groups such as root, docker, disk, shadow, or sudo.

This could allow a subprocess that was expected to run with reduced privileges to access files or resources available to the original process’s supplementary groups. Users are impacted if they rely on _uid as a privilege boundary when launching commands from a privileged parent process.

Patches

Upgrade to version >= 2.2.4

Workarounds

Avoid using _uid when the user represents a less-privileged user.

Database specific
{
    "cwe_ids": [
        "CWE-273"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2026-07-17T18:41:38Z",
    "github_reviewed": true,
    "nvd_published_at": null
}
References

Affected packages

PyPI / sh

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.4

Affected versions

0.*
0.01
0.106
0.107
0.108
1.*
1.0
1.01
1.02
1.03
1.04
1.05
1.06
1.07
1.08
1.09
1.10
1.11
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.6
1.12.7
1.12.8
1.12.9
1.12.10
1.12.11
1.12.12
1.12.13
1.12.14
1.13.0
1.13.1
1.14.0
1.14.1
1.14.2
1.14.3
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-q38v-wp89-2w55/GHSA-q38v-wp89-2w55.json"