GHSA-JV2H-4P9V-WF5W

Vulnerability from github – Published: 2026-06-19 15:12 – Updated: 2026-06-19 15:12
VLAI
Summary
ouroboros-ai: Incomplete fix of CVE-2026-47211: untrusted project .env can still reach RCE via omitted execution-routing keys
Details

Impact

The CVE-2026-47211 fix (0.39.0) added _UNTRUSTED_ENV_DENYLIST to stop an untrusted project-directory .env from redirecting execution. The denylist was incomplete — several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary command execution by shipping a .env (auto-loaded at import, no review step):

  • Backend config-home roots CODEX_HOME, OPENCODE_CONFIG, OPENCODE_CONFIG_DIR, XDG_CONFIG_HOME: a spawned vendor CLI resolves its config from these. CODEX_HOME=./.evil + committed ./.evil/config.toml redirects the nested Codex agent to attacker config — mcp_servers.<name>.command/args (RCE) and approval_policy="never" / sandbox_mode="danger-full-access" (silent removal of the human approval gate). (reported by matte1782)
  • MCP bridge / plugin execution roster OUROBOROS_MCP_CONFIG (the YAML's server command/args are spawned via stdio_client — RCE), OUROBOROS_PLUGIN_LOCKFILE, OUROBOROS_PLUGIN_TRUST_ROOT (redirect the installed-plugin roster / trust root so ooo <name> dispatches into attacker code). (reported by hackkim)
  • SSRF guard toggle OUROBOROS_ALLOW_LOCAL_TRANSPORT (re-enables loopback/private MCP transport targets).
  • Instruction / capability roots OUROBOROS_AGENTS_DIR, COPILOT_CUSTOM_INSTRUCTIONS_DIRS (replace spawned sub-agent role prompts), OUROBOROS_RUNTIME_PROFILE (backend selector), OUROBOROS_TOOL_CAPABILITIES (override YAML can lower a tool's approval_class, weakening the approval gate).

Additionally, the MCP bridge auto-loaded ./.ouroboros/mcp_servers.yaml from the working directory (create_bridge_from_env(cwd=Path.cwd())), so running ooo inside a malicious repo spawned the committed roster's command — RCE with no .env at all. (cwd-branch noted by hackkim)

Patches

Fixed in 0.42.1. All listed keys were added to _UNTRUSTED_ENV_DENYLIST; the cwd auto-discovery branch was removed (only the explicit OUROBOROS_MCP_CONFIG env var and ~/.ouroboros/mcp_servers.yaml remain, both trusted). The regression suite now derives from the source denylist to prevent future drift.

Workarounds

Do not run Ouroboros from an untrusted/cloned repository directory; remove any project-directory .env and ./.ouroboros/mcp_servers.yaml before running.

Credit

Reported privately via coordinated disclosure by matte1782 and hackkim (https://github.com/hackkim).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.42.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "ouroboros-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.42.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T15:12:25Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nThe CVE-2026-47211 fix (0.39.0) added `_UNTRUSTED_ENV_DENYLIST` to stop an untrusted project-directory `.env` from redirecting execution. The denylist was incomplete \u2014 several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary command execution by shipping a `.env` (auto-loaded at import, no review step):\n\n- **Backend config-home roots** `CODEX_HOME`, `OPENCODE_CONFIG`, `OPENCODE_CONFIG_DIR`, `XDG_CONFIG_HOME`: a spawned vendor CLI resolves its config from these. `CODEX_HOME=./.evil` + committed `./.evil/config.toml` redirects the nested Codex agent to attacker config \u2014 `mcp_servers.\u003cname\u003e.command/args` (RCE) and `approval_policy=\"never\"` / `sandbox_mode=\"danger-full-access\"` (silent removal of the human approval gate). (reported by matte1782)\n- **MCP bridge / plugin execution roster** `OUROBOROS_MCP_CONFIG` (the YAML\u0027s server `command`/`args` are spawned via stdio_client \u2014 RCE), `OUROBOROS_PLUGIN_LOCKFILE`, `OUROBOROS_PLUGIN_TRUST_ROOT` (redirect the installed-plugin roster / trust root so `ooo \u003cname\u003e` dispatches into attacker code). (reported by hackkim)\n- **SSRF guard toggle** `OUROBOROS_ALLOW_LOCAL_TRANSPORT` (re-enables loopback/private MCP transport targets).\n- **Instruction / capability roots** `OUROBOROS_AGENTS_DIR`, `COPILOT_CUSTOM_INSTRUCTIONS_DIRS` (replace spawned sub-agent role prompts), `OUROBOROS_RUNTIME_PROFILE` (backend selector), `OUROBOROS_TOOL_CAPABILITIES` (override YAML can lower a tool\u0027s `approval_class`, weakening the approval gate).\n\nAdditionally, the MCP bridge auto-loaded `./.ouroboros/mcp_servers.yaml` from the working directory (`create_bridge_from_env(cwd=Path.cwd())`), so running `ooo` inside a malicious repo spawned the committed roster\u0027s `command` \u2014 RCE with no `.env` at all. (cwd-branch noted by hackkim)\n\n### Patches\nFixed in 0.42.1. All listed keys were added to `_UNTRUSTED_ENV_DENYLIST`; the cwd auto-discovery branch was removed (only the explicit `OUROBOROS_MCP_CONFIG` env var and `~/.ouroboros/mcp_servers.yaml` remain, both trusted). The regression suite now derives from the source denylist to prevent future drift.\n\n### Workarounds\nDo not run Ouroboros from an untrusted/cloned repository directory; remove any project-directory `.env` and `./.ouroboros/mcp_servers.yaml` before running.\n\n### Credit\nReported privately via coordinated disclosure by matte1782 and hackkim (https://github.com/hackkim).",
  "id": "GHSA-jv2h-4p9v-wf5w",
  "modified": "2026-06-19T15:12:25Z",
  "published": "2026-06-19T15:12:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Q00/ouroboros/security/advisories/GHSA-jv2h-4p9v-wf5w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Q00/ouroboros"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ouroboros-ai: Incomplete fix of CVE-2026-47211: untrusted project .env can still reach RCE via omitted execution-routing keys"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…