python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Unix) or powershell.exe -Command (Windows), allowing an attacker to inject arbitrary shell commands. This vulnerability is fixed in 1.1.3.
CVE-2026-45369
This high-severity CVE scores 8.3 under NVD CVSS v3. EPSS exploit probability: 0.3%, top 81% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.3
- EG Score
- 8.3(medium)
- EPSS
- 19.0%
- KEV
- Not listed
Published
May 14, 2026
Last Modified
May 16, 2026
Advisory Details (1)
Auto-updated May 14, 2026Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol · Advisory · universal-tool-calling-protocol/python-utcp · GitHub
https://github.com/universal-tool-calling-protocol/python-utcp/security/advisories/GHSA-33p6-5jxp-p3x4Vendor Advisories for CVE-2026-45369(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| utcp-cli | 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1 | 1.1.2 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Related CVEs(same CWE)
Same CWE
10 shownCWE-78
Frequently asked(5)
What is CVE-2026-45369?
When was CVE-2026-45369 disclosed?
Is CVE-2026-45369 actively exploited?
What is the CVSS score of CVE-2026-45369?
How do I remediate CVE-2026-45369?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45369
Is Your Infrastructure Affected by CVE-2026-45369?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.