{"uuid": "1ddf8307-64ef-4663-964a-080a6e0ff0c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47211", "type": "seen", "source": "https://gist.github.com/alon710/27a1a02d7c391b1b2590b0cf7da6fc5e", "content": "# GHSA-JV2H-4P9V-WF5W: GHSA-JV2H-4P9V-WF5W: Arbitrary Remote Code Execution via Incomplete Environment Denylist in Ouroboros AI\n\n&gt; **CVSS Score:** 8.8\n&gt; **Published:** 2026-06-19\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-JV2H-4P9V-WF5W\n\n## Summary\nAn arbitrary Remote Code Execution (RCE) vulnerability exists in ouroboros-ai due to an incomplete fix for CVE-2026-47211. Ouroboros automatically loads environment configurations from local .env files located in the current working directory (CWD) of cloned repositories. Although a denylist (_UNTRUSTED_ENV_DENYLIST) was introduced in version 0.39.0 to filter out execution-routing environment variables, multiple critical configuration variables were omitted, enabling complete sandbox bypass and arbitrary system command execution.\n\n## TL;DR\nOuroboros AI is vulnerable to arbitrary remote code execution via untrusted environment variables and working directory configurations, allowing attackers to run arbitrary system commands by getting a user to execute Ouroboros inside a cloned repository.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **Vulnerability Type**: CWE-426: Untrusted Search Path / CWE-15: External Control of System Configuration\n- **Affected Component**: Environment Staging &amp; MCP Bridge Configuration\n- **Attack Vector**: Network / File system parsing\n- **Exploit Status**: Proof of Concept (PoC) available\n- **Impact**: Remote Code Execution (RCE)\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Ouroboros AI systems utilizing command-line runtimes and local directory loading.\n- **ouroboros-ai**: &lt; 0.42.1 (Fixed in: `0.42.1`)\n\n## Mitigation\n\n- Update ouroboros-ai to version 0.42.1 or newer.\n- Avoid running Ouroboros commands inside untrusted workspace directories.\n- Implement environment-level locks to ignore local .env variables in sensitive workspaces.\n\n**Remediation Steps:**\n1. Check the installed version of ouroboros-ai using pip: `pip show ouroboros-ai`.\n2. Upgrade the dependency package: `pip install --upgrade ouroboros-ai&gt;=0.42.1`.\n3. Remove manual .env files from current working directories before invoking command-line tooling.\n\n## References\n\n- [GitHub Security Advisory GHSA-jv2h-4p9v-wf5w](https://github.com/Q00/ouroboros/security/advisories/GHSA-jv2h-4p9v-wf5w)\n- [Ouroboros Source Repository](https://github.com/Q00/ouroboros)\n- [Fix Pull Request 1078](https://github.com/Q00/ouroboros/pull/1078)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-JV2H-4P9V-WF5W) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T16:11:36.000000Z"}