CVE-2026-0933
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-20

Last updated on: 2026-01-27

Assigner: Cloudflare, Inc.

Description
SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., Β execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hashΒ parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-27
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0933
EUVD
EUVD-2026-3519
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cloudflare wrangler From 2.0.15 (inc) to 3.114.17 (exc)
cloudflare wrangler From 4.0.0 (inc) to 4.59.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection issue in the 'wrangler pages deploy' command. It occurs because the '--commit-hash' parameter is passed directly into a shell command without proper validation or sanitization. An attacker who can control the '--commit-hash' input can inject and execute arbitrary shell commands on the system running Wrangler.

Impact Analysis

If exploited, this vulnerability allows an attacker to run any shell command on the affected system. This can lead to exfiltration of environment variables, compromise of the CI runner by installing backdoors, or modification of build artifacts. It primarily affects CI/CD environments where the '--commit-hash' parameter is populated from external, potentially untrusted sources.

Mitigation Strategies

Upgrade Wrangler to a secure version: for Wrangler v4 users, upgrade to version 4.59.1 or higher; for Wrangler v3 users, upgrade to version 3.114.17 or higher; users on Wrangler v2 (EOL) should upgrade to a supported major version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart