CVE-2026-13501
Received Received - Intake

Command Injection in ANTLR4 via gofmt

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulDB

Description
A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-13501
EUVD
EUVD-2026-39999

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
antlr antlr4 4.13.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13501 is an OS command injection vulnerability in the ANTLR4 GoTarget class, specifically in version 4.13.2. The vulnerability occurs when ANTLR4 generates Go code using the `-Dlanguage=Go` flag and executes the `gofmt` binary via ProcessBuilder without specifying an absolute path. This causes the system to resolve `gofmt` using the PATH environment variable, which can be manipulated by an attacker.

An attacker who can control or prepend a malicious directory to the PATH can cause a crafted malicious `gofmt` executable to run instead of the legitimate one. This malicious executable runs with the privileges of the build process, enabling arbitrary code execution.

The root cause is the unsafe use of ProcessBuilder with a bare command name relying on PATH resolution without validation. Attack vectors include compromised build scripts, CI environment injections, or malicious `.envrc` files.

Impact Analysis

This vulnerability can lead to arbitrary code execution with the privileges of the build process. An attacker who exploits this can execute malicious code on the affected system, potentially gaining full system access.

The impact includes compromise of confidentiality, integrity, and availability of the system. This means sensitive data could be exposed or altered, system operations disrupted, and unauthorized control gained.

Detection Guidance

This vulnerability can be detected by checking if the build environment or scripts use the `gofmt` command without specifying an absolute path, relying on the system PATH environment variable. An attacker can manipulate the PATH to execute a malicious `gofmt` binary.

To detect potential exploitation or presence of a malicious `gofmt` binary, you can check the PATH order and verify the location of the `gofmt` executable being used.

  • Run `which gofmt` or `command -v gofmt` to see the path of the `gofmt` binary that will be executed.
  • Inspect the PATH environment variable with `echo $PATH` to ensure no untrusted directories precede the legitimate `gofmt` binary location.
  • Search for suspicious or unexpected `gofmt` binaries in directories listed in PATH using commands like `find $(echo $PATH | tr ':' ' ') -name gofmt -type f -exec ls -l {} \;`.
  • Check build scripts, CI configurations, or `.envrc` files for any manipulation or prepending of PATH that could introduce malicious directories.
Mitigation Strategies

Immediate mitigation steps include ensuring that the `gofmt` binary is invoked using an absolute path rather than relying on the PATH environment variable.

Validate and restrict the PATH environment variable in build environments to exclude untrusted directories.

Review and sanitize build scripts, CI pipelines, and environment configuration files such as `.envrc` to prevent PATH manipulation.

If possible, configure the build process to allow specifying the exact location of the `gofmt` binary.

Monitor for any suspicious activity or unexpected binaries named `gofmt` in the system.

Compliance Impact

This vulnerability enables OS command injection through manipulation of the PATH environment variable, potentially allowing attackers to execute arbitrary code with the privileges of the build process. Such unauthorized code execution can lead to breaches of confidentiality, integrity, and availability of data and systems.

Given these impacts, organizations using affected versions of ANTLR4 may face increased risks of data breaches or system compromises, which could result in non-compliance with standards and regulations like GDPR and HIPAA that mandate protection of sensitive data and system integrity.

Mitigating this vulnerability by applying recommended fixes (such as using absolute paths for binaries and validating executable locations) is important to maintain compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart