CVE-2026-55448
Deferred Deferred - Pending Action

Arbitrary Command Execution in mise Dev Tool Manager

Vulnerability report for CVE-2026-55448, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-27

Assigner: GitHub, Inc.

Description

mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mise command and no higher-priority GitHub token environment variable is set. This vulnerability is fixed in 2026.6.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-27
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55448 is a vulnerability in the mise tool where a local project configuration file (.mise.toml) can specify a setting called github.credential_command that is executed without proper validation.

An attacker who can place a malicious .mise.toml file in a repository can execute arbitrary shell commands on the victim's system when the victim runs a GitHub-related mise command, assuming no higher-priority GitHub token environment variable is set.

This happens because mise loads and executes the github.credential_command from untrusted local files before making any trust decisions, leading to command injection via the shell execution path.

The vulnerability is fixed in version 2026.6.4 by ignoring github.credential_command in non-global project config files.

Detection Guidance

This vulnerability can be detected by checking for the presence of a local project configuration file named `.mise.toml` in repositories where the mise tool is used, especially if the `github.credential_command` setting is present.

You can inspect the contents of `.mise.toml` files for suspicious or unexpected commands in the `github.credential_command` field.

Suggested commands to detect this vulnerability include:

  • Find `.mise.toml` files in your project directories: `find . -name ".mise.toml"`
  • Search for the `github.credential_command` setting inside these files: `grep -H "github.credential_command" $(find . -name ".mise.toml")`
  • Review the output for any suspicious shell commands that could be executed.
Impact Analysis

This vulnerability can allow an attacker to execute arbitrary shell commands on your system when you run GitHub-related mise commands in a repository containing a malicious .mise.toml file.

The impact includes potential compromise of confidentiality and integrity of your system, as the attacker can run commands with your user privileges.

The CVSS score of 6.3 indicates a moderate severity, with a local attack vector, high complexity, no required privileges, but requiring user interaction.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary shell commands on a victim's system, potentially leading to unauthorized access or modification of sensitive data.

Such unauthorized access and potential data compromise could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding confidentiality and integrity of sensitive information.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the mise tool to version 2026.6.4 or later, where the issue is fixed by ignoring the `github.credential_command` setting in non-global project config files.

Additionally, avoid running GitHub-related mise commands in repositories where you do not trust the `.mise.toml` file or where you suspect it may have been tampered with.

As a temporary measure, ensure that a higher-priority GitHub token environment variable is set, which prevents the vulnerable code path from executing the `github.credential_command`.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart