CVE-2026-33310
Command Injection via shell() in Intake Package Pre
Publication date: 2026-03-24
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intake | intake | to 2.0.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33310 is a command injection vulnerability in the Python package Intake, which is used for finding, investigating, loading, and disseminating data. Prior to version 2.0.9, Intake automatically expanded and executed shell commands embedded in parameter default values during catalog parsing. This means if a malicious catalog YAML file contains a parameter default using the shell() syntax, the shell command inside could be executed on the host system when the catalog is loaded.
The vulnerability arises because the shell() syntax in parameter defaults is expanded and executed without proper restrictions, allowing arbitrary OS commands to run with the privileges of the user loading the catalog. This behavior is triggered during catalog source access, before any explicit user interaction.
Version 2.0.9 mitigates this issue by changing the default behavior to disable shell command execution during parameter expansion unless explicitly enabled, reducing the risk of remote code execution.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on your system if you load a malicious Intake catalog YAML file containing shell commands in parameter defaults. An attacker can craft such a catalog to execute OS commands with your user privileges.
- Execution of arbitrary shell commands on the host system.
- Potential compromise of confidentiality, integrity, and availability of your system and data.
- Creation of files or modification of system state without your consent.
- Risk of further exploitation depending on the commands executed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if any Intake catalog YAML files loaded on your system contain parameter defaults using the shell() syntax, which triggers shell command execution during catalog parsing.'}, {'type': 'paragraph', 'content': 'A practical detection method is to look for evidence of command execution triggered by loading such catalogs. For example, a proof-of-concept uses a malicious catalog with a parameter default like shell(touch /tmp/intake_rce_test), which creates a file /tmp/intake_rce_test when loaded.'}, {'type': 'paragraph', 'content': 'To detect exploitation or test vulnerability, you can run commands to check for the presence of unexpected files created by malicious catalogs, such as:'}, {'type': 'list_item', 'content': 'ls -l /tmp/intake_rce_test'}, {'type': 'paragraph', 'content': 'Additionally, you can audit your Intake catalog YAML files for the presence of shell() expressions by using commands like:'}, {'type': 'list_item', 'content': "grep -r 'shell(' /path/to/intake/catalogs/"}, {'type': 'paragraph', 'content': 'If such shell() expressions are found in parameter defaults, it indicates potential exposure to this vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling shell command execution during catalog parameter expansion by ensuring the `getshell` parameter is set to false.
Since Intake versions prior to 2.0.9 have this vulnerability, upgrading to version 2.0.9 or later is recommended, as this version changes the default behavior to disable shell execution by default.
If upgrading is not immediately possible, manually configure Intake to set `getshell=false` in relevant classes or functions to prevent shell commands from being executed during catalog parsing.
Additionally, avoid loading Intake catalogs from untrusted or unknown sources, as malicious YAML files can exploit this vulnerability.
Consider applying explicit opt-in flags such as `allow_shell=true` only when absolutely necessary and only for trusted catalogs.