CVE-2026-26331
Received Received - Intake
Command Injection in yt-dlp via --netrc-cmd Option

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26331
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yt-dlp_project yt-dlp From 2023.06.21 (inc) to 2026.02.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26331 is a high-severity arbitrary command injection vulnerability in the yt-dlp tool, which is a command-line audio/video downloader. The vulnerability occurs when users utilize the `--netrc-cmd` command-line option or the `netrc_cmd` Python API parameter. This option allows specifying a command to handle `.netrc` credentials, but previously the input was not properly sanitized.'}, {'type': 'paragraph', 'content': "An attacker can craft a malicious URL containing special shell characters that get substituted into the `--netrc-cmd` argument, leading to execution of arbitrary shell commands on the user's system. This can happen covertly via HTTP redirects to malicious URLs, making exploitation possible even if the URL looks inconspicuous."}, {'type': 'paragraph', 'content': 'The vulnerability specifically affects versions of yt-dlp from 2023.06.21 up to, but not including, 2026.02.21. It is fixed in version 2026.02.21 by validating and restricting the characters allowed in the netrc "machine" values to a safe subset, preventing command injection.'}] [1, 2, 3]

Impact Analysis

If you use yt-dlp with the vulnerable `--netrc-cmd` option or the `netrc_cmd` Python API parameter, an attacker can execute arbitrary commands on your system by tricking you into processing a maliciously crafted URL.

  • This can lead to full compromise of confidentiality, integrity, and availability of your system.
  • The attacker can run any shell commands, potentially stealing data, modifying files, or disrupting system operations.
  • Exploitation requires no special privileges but does require user interaction (running yt-dlp with the vulnerable option).

Users who do not use the `--netrc-cmd` option or the `netrc_cmd` parameter are not affected.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if yt-dlp is used with the `--netrc-cmd` command-line option or the `netrc_cmd` Python API parameter, especially if the argument includes a placeholder `{}` that is replaced at runtime with netrc "machine" values. Monitoring for suspicious URLs that contain shell special characters or unusual patterns, such as those including semicolons or shell commands, can also help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves arbitrary command injection via crafted URLs, network detection could involve inspecting HTTP requests or redirects for suspicious URL patterns that might exploit the vulnerable extractors (GetCourseRuIE, TeachableIE, TeachableCourseIE).'}, {'type': 'paragraph', 'content': 'Suggested commands to detect usage or attempts:'}, {'type': 'list_item', 'content': "Search running yt-dlp processes for usage of `--netrc-cmd`: \n`ps aux | grep yt-dlp | grep -- '--netrc-cmd'`"}, {'type': 'list_item', 'content': "Check command history for yt-dlp invocations with `--netrc-cmd`: \n`history | grep yt-dlp | grep -- '--netrc-cmd'`"}, {'type': 'list_item', 'content': 'Inspect network traffic or logs for suspicious URLs containing shell special characters or unusual patterns, e.g., using tools like `tcpdump` or `Wireshark` with filters for suspicious HTTP requests.'}, {'type': 'list_item', 'content': 'Audit yt-dlp configuration files or scripts for use of the `netrc_cmd` parameter or `--netrc-cmd` option.'}] [2]

Mitigation Strategies

The primary mitigation is to upgrade yt-dlp to version 2026.02.21 or later, where the vulnerability is fixed by validating and restricting the `netrc_machine` parameter to shell-safe characters.

If upgrading immediately is not possible, users should avoid using the `--netrc-cmd` command-line option or the `netrc_cmd` Python API parameter altogether.

Alternatively, if `--netrc-cmd` must be used, do not pass a placeholder `{}` in the argument, as this is the vector for command injection.

These steps prevent the execution of arbitrary commands injected via maliciously crafted URLs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26331. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart