CVE-2026-33310
Received Received - Intake
Command Injection via shell() in Intake Package Pre

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33310
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
intake intake to 2.0.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33310 is a command injection vulnerability in the Python package Intake, which is used for finding, investigating, loading, and disseminating data. Prior to version 2.0.9, Intake automatically expanded and executed shell commands embedded in parameter default values during catalog parsing. This means if a malicious catalog YAML file contains a parameter default using the shell() syntax, the shell command inside could be executed on the host system when the catalog is loaded.

The vulnerability arises because the shell() syntax in parameter defaults is expanded and executed without proper restrictions, allowing arbitrary OS commands to run with the privileges of the user loading the catalog. This behavior is triggered during catalog source access, before any explicit user interaction.

Version 2.0.9 mitigates this issue by changing the default behavior to disable shell command execution during parameter expansion unless explicitly enabled, reducing the risk of remote code execution.

Impact Analysis

This vulnerability can lead to arbitrary code execution on your system if you load a malicious Intake catalog YAML file containing shell commands in parameter defaults. An attacker can craft such a catalog to execute OS commands with your user privileges.

  • Execution of arbitrary shell commands on the host system.
  • Potential compromise of confidentiality, integrity, and availability of your system and data.
  • Creation of files or modification of system state without your consent.
  • Risk of further exploitation depending on the commands executed.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if any Intake catalog YAML files loaded on your system contain parameter defaults using the shell() syntax, which triggers shell command execution during catalog parsing.'}, {'type': 'paragraph', 'content': 'A practical detection method is to look for evidence of command execution triggered by loading such catalogs. For example, a proof-of-concept uses a malicious catalog with a parameter default like shell(touch /tmp/intake_rce_test), which creates a file /tmp/intake_rce_test when loaded.'}, {'type': 'paragraph', 'content': 'To detect exploitation or test vulnerability, you can run commands to check for the presence of unexpected files created by malicious catalogs, such as:'}, {'type': 'list_item', 'content': 'ls -l /tmp/intake_rce_test'}, {'type': 'paragraph', 'content': 'Additionally, you can audit your Intake catalog YAML files for the presence of shell() expressions by using commands like:'}, {'type': 'list_item', 'content': "grep -r 'shell(' /path/to/intake/catalogs/"}, {'type': 'paragraph', 'content': 'If such shell() expressions are found in parameter defaults, it indicates potential exposure to this vulnerability.'}] [2]

Mitigation Strategies

Immediate mitigation steps include disabling shell command execution during catalog parameter expansion by ensuring the `getshell` parameter is set to false.

Since Intake versions prior to 2.0.9 have this vulnerability, upgrading to version 2.0.9 or later is recommended, as this version changes the default behavior to disable shell execution by default.

If upgrading is not immediately possible, manually configure Intake to set `getshell=false` in relevant classes or functions to prevent shell commands from being executed during catalog parsing.

Additionally, avoid loading Intake catalogs from untrusted or unknown sources, as malicious YAML files can exploit this vulnerability.

Consider applying explicit opt-in flags such as `allow_shell=true` only when absolutely necessary and only for trusted catalogs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33310. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart