CVE-2026-55448
Received Received - Intake
Arbitrary Command Execution in mise Dev Tool Manager

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mise command and no higher-priority GitHub token environment variable is set. This vulnerability is fixed in 2026.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-55448
EUVD
EUVD-2026-39813
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55448 is a vulnerability in the mise tool where a local project configuration file (.mise.toml) can specify a setting called github.credential_command that is executed without proper validation.

An attacker who can place a malicious .mise.toml file in a repository can execute arbitrary shell commands on the victim's system when the victim runs a GitHub-related mise command, assuming no higher-priority GitHub token environment variable is set.

This happens because mise loads and executes the github.credential_command from untrusted local files before making any trust decisions, leading to command injection via the shell execution path.

The vulnerability is fixed in version 2026.6.4 by ignoring github.credential_command in non-global project config files.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary shell commands on your system when you run GitHub-related mise commands in a repository containing a malicious .mise.toml file.

The impact includes potential compromise of confidentiality and integrity of your system, as the attacker can run commands with your user privileges.

The CVSS score of 6.3 indicates a moderate severity, with a local attack vector, high complexity, no required privileges, but requiring user interaction.

Detection Guidance

This vulnerability can be detected by checking for the presence of a local project configuration file named `.mise.toml` in repositories where the mise tool is used, especially if the `github.credential_command` setting is present.

You can inspect the contents of `.mise.toml` files for suspicious or unexpected commands in the `github.credential_command` field.

Suggested commands to detect this vulnerability include:

  • Find `.mise.toml` files in your project directories: `find . -name ".mise.toml"`
  • Search for the `github.credential_command` setting inside these files: `grep -H "github.credential_command" $(find . -name ".mise.toml")`
  • Review the output for any suspicious shell commands that could be executed.
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the mise tool to version 2026.6.4 or later, where the issue is fixed by ignoring the `github.credential_command` setting in non-global project config files.

Additionally, avoid running GitHub-related mise commands in repositories where you do not trust the `.mise.toml` file or where you suspect it may have been tampered with.

As a temporary measure, ensure that a higher-priority GitHub token environment variable is set, which prevents the vulnerable code path from executing the `github.credential_command`.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart