Description
mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mise command and no higher-priority GitHub token environment variable is set. This vulnerability is fixed in 2026.6.4.
Severity (CVSS)
| Base score | 6.3 |
|---|---|
| Severity | Medium |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Provided by | CNA |
Weaknesses
- CWE-78 — CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected products
| Vendor | Product | Versions |
|---|---|---|
| jdx | mise | < 2026.6.4 |
References
- https://github.com/jdx/mise/security/advisories/GHSA-29hf-rm4x-xxph (x_refsource_CONFIRM)
Generated from the official CVE List on 27 Jun 2026 07:02 UTC.