PatchSiren cyber security CVE debrief
CVE-2026-33646 jdx CVE debrief
CVE-2026-33646 is a critical vulnerability in mise, a development tool manager that handles various dev tools like node, python, cmake, and terraform. Prior to version 2026.3.10, mise is susceptible to arbitrary command execution due to its processing of .tool-versions files through the Tera template engine. The exec() function is registered during parsing, which enables an attacker to execute arbitrary commands. Unlike .mise.toml files, .tool-versions files do not undergo trust verification in non-paranoid mode. This allows an attacker to place a malicious .tool-versions file in a git repository. When a victim with mise activated changes their directory into the compromised repository, arbitrary commands execute without prompting for trust. This vulnerability has been addressed in mise version 2026.3.10.
- Vendor
- jdx
- Product
- mise
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-06-29
Who should care
Developers and users who utilize mise for managing development tools are at risk due to this vulnerability. Specifically, anyone using mise versions prior to 2026.3.10 could be affected if they interact with untrusted git repositories. This includes developers working with node, python, cmake, and terraform. Additionally, organizations relying on mise for their development environments should prioritize updating to the latest version to mitigate potential threats.
Technical summary
The CVE-2026-33646 vulnerability in mise arises from its handling of .tool-versions files. Mise uses the Tera template engine to process these files, with the exec() function enabled. This allows for arbitrary command execution when a malicious .tool-versions file is encountered. The vulnerability is particularly dangerous because .tool-versions files are not subject to the same trust verification as .mise.toml files in non-paranoid mode. An attacker can exploit this by crafting a malicious .tool-versions file and placing it in a git repository. When a user with mise activated navigates into the repository, the arbitrary commands embedded in the file execute without prompting for trust. This vulnerability has a CVSS score of 9.6, indicating critical severity.
Defensive priority
High priority should be given to updating mise to version 2026.3.10 or later. Additionally, users should exercise caution when interacting with untrusted git repositories, especially those containing .tool-versions files.
Recommended defensive actions
- Update mise to version 2026.3.10 or later immediately.
- Exercise caution with untrusted git repositories containing .tool-versions files.
- Implement additional monitoring for suspicious activity related to mise and .tool-versions files.
- Consider using paranoid mode for enhanced trust verification of .tool-versions files.
- Review and update security policies for development environments using mise.
Evidence notes
The CVE-2026-33646 vulnerability was publicly disclosed on June 26, 2026, and has since been modified on June 29, 2026. The vulnerability affects mise versions prior to 2026.3.10. Details were obtained from the NVD database and CVE.org, providing comprehensive information on the vulnerability's impact and mitigation.
Official resources
-
CVE-2026-33646 CVE record
CVE.org
-
CVE-2026-33646 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.