CVE-2026-26331
Command Injection in yt-dlp via --netrc-cmd Option
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yt-dlp_project | yt-dlp | From 2023.06.21 (inc) to 2026.02.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26331 is a high-severity arbitrary command injection vulnerability in the yt-dlp tool, which is a command-line audio/video downloader. The vulnerability occurs when users utilize the `--netrc-cmd` command-line option or the `netrc_cmd` Python API parameter. This option allows specifying a command to handle `.netrc` credentials, but previously the input was not properly sanitized.'}, {'type': 'paragraph', 'content': "An attacker can craft a malicious URL containing special shell characters that get substituted into the `--netrc-cmd` argument, leading to execution of arbitrary shell commands on the user's system. This can happen covertly via HTTP redirects to malicious URLs, making exploitation possible even if the URL looks inconspicuous."}, {'type': 'paragraph', 'content': 'The vulnerability specifically affects versions of yt-dlp from 2023.06.21 up to, but not including, 2026.02.21. It is fixed in version 2026.02.21 by validating and restricting the characters allowed in the netrc "machine" values to a safe subset, preventing command injection.'}] [1, 2, 3]
How can this vulnerability impact me? :
If you use yt-dlp with the vulnerable `--netrc-cmd` option or the `netrc_cmd` Python API parameter, an attacker can execute arbitrary commands on your system by tricking you into processing a maliciously crafted URL.
- This can lead to full compromise of confidentiality, integrity, and availability of your system.
- The attacker can run any shell commands, potentially stealing data, modifying files, or disrupting system operations.
- Exploitation requires no special privileges but does require user interaction (running yt-dlp with the vulnerable option).
Users who do not use the `--netrc-cmd` option or the `netrc_cmd` parameter are not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if yt-dlp is used with the `--netrc-cmd` command-line option or the `netrc_cmd` Python API parameter, especially if the argument includes a placeholder `{}` that is replaced at runtime with netrc "machine" values. Monitoring for suspicious URLs that contain shell special characters or unusual patterns, such as those including semicolons or shell commands, can also help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves arbitrary command injection via crafted URLs, network detection could involve inspecting HTTP requests or redirects for suspicious URL patterns that might exploit the vulnerable extractors (GetCourseRuIE, TeachableIE, TeachableCourseIE).'}, {'type': 'paragraph', 'content': 'Suggested commands to detect usage or attempts:'}, {'type': 'list_item', 'content': "Search running yt-dlp processes for usage of `--netrc-cmd`: \n`ps aux | grep yt-dlp | grep -- '--netrc-cmd'`"}, {'type': 'list_item', 'content': "Check command history for yt-dlp invocations with `--netrc-cmd`: \n`history | grep yt-dlp | grep -- '--netrc-cmd'`"}, {'type': 'list_item', 'content': 'Inspect network traffic or logs for suspicious URLs containing shell special characters or unusual patterns, e.g., using tools like `tcpdump` or `Wireshark` with filters for suspicious HTTP requests.'}, {'type': 'list_item', 'content': 'Audit yt-dlp configuration files or scripts for use of the `netrc_cmd` parameter or `--netrc-cmd` option.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade yt-dlp to version 2026.02.21 or later, where the vulnerability is fixed by validating and restricting the `netrc_machine` parameter to shell-safe characters.
If upgrading immediately is not possible, users should avoid using the `--netrc-cmd` command-line option or the `netrc_cmd` Python API parameter altogether.
Alternatively, if `--netrc-cmd` must be used, do not pass a placeholder `{}` in the argument, as this is the vector for command injection.
These steps prevent the execution of arbitrary commands injected via maliciously crafted URLs.