CVE-2026-55448
mise: Local credential_command executes untrusted config
Description
mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mise command and no higher-priority GitHub token environment variable is set. This vulnerability is fixed in 2026.6.4.
INFO
Published Date :
June 26, 2026, 4:46 p.m.
Last Modified :
June 26, 2026, 4:46 p.m.
Remotely Exploit :
No
Source :
GitHub_M
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | MITRE-CVE |
Solution
- Update mise to version 2026.6.4 or later.
- Avoid loading untrusted mise project configurations.
- Ensure GitHub token environment variables are set.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-55448 vulnerability anywhere in the article.