CVE-2026-33646
Received Received - Intake
Arbitrary Command Execution in mise via Malicious .tool-versions File

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec() function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode. This means an attacker can place a malicious .tool-versions file in a git repository, and when a victim with mise activated cds into the directory, arbitrary commands execute without any trust prompt. This vulnerability is fixed in 2026.3.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-33646
EUVD
EUVD-2026-39816
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33646 is a critical vulnerability in the mise tool versions before 2026.3.10 that allows arbitrary code execution. The issue occurs because mise processes .tool-versions files using the Tera template engine, which includes the exec() function for command execution. Unlike .mise.toml files, .tool-versions files do not undergo trust verification in non-paranoid mode.

An attacker can place a malicious .tool-versions file containing Tera template syntax with embedded commands in a git repository. When a victim with mise activated enters the directory, the shell hook automatically parses and executes these commands silently without any user prompt, granting the attacker full user privileges.

This vulnerability enables silent remote code execution (RCE) with no user interaction, making it a severe supply chain attack vector.

Impact Analysis

This vulnerability can have severe impacts including arbitrary command execution on your system with your user privileges when you enter a directory containing a malicious .tool-versions file.

Because the commands execute silently and automatically, attackers can steal credentials, tokens, or escalate privileges without your knowledge.

It poses a high risk to confidentiality, integrity, and availability of your system and data, as reflected by its critical CVSS score of 9.6.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade mise to version 2026.3.10 or later, where the issue is fixed.

The fix involves adding trust checks to the parsing of .tool-versions files, removing the exec() function from the Tera template context, or eliminating Tera processing for .tool-versions files entirely.

Until you can upgrade, avoid cds into directories containing untrusted .tool-versions files, especially those from git repositories, to prevent arbitrary command execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33646. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart