HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-33646Published Modified CNA GitHub_M

CVE-2026-33646: mise: Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass)

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec() function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode. This means an attacker can place a malicious .tool-versions file in a git repository, and when a victim with mise activated cds into the directory, arbitrary commands execute without any trust prompt. This vulnerability is fixed in 2026.3.10.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an arbitrary code execution vulnerability in mise, a developer tool version manager. An attacker can embed malicious Tera template directives containing shell commands inside a .tool-versions file in a Git repository; when a victim with mise activated changes into that directory, the commands execute silently with no trust prompt. Successful exploitation gives the attacker full code execution in the context of the victim's user session, with high impact to confidentiality, integrity, and availability. No fix version has been published yet; HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-33646 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds, including custom-built images that bundle mise. Any image found to carry an affected version of mise (prior to 2026.3.10) is flagged immediately in the pipeline scan results.

Available
Triage

Triage is available with the CVSS v3.1 score of 9.6 (CRITICAL) applied automatically, weighted against each customer organization's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer org based on configured policy thresholds and ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the malicious .tool-versions file over the network, typically by pushing it to a publicly or privately accessible Git repository that the victim clones or pulls.

  • AuthenticationNot required

    No authentication is needed; any unauthenticated attacker who can contribute or push a file to a repository the victim accesses can carry out the attack.

  • Victim interactionRequired

    The victim must change into the directory containing the malicious .tool-versions file while mise is activated, making this a social-engineering or supply-chain scenario requiring victim action.

  • Attack complexityDetail

    Exploit reliability is high and condition-free; once the file is in place, code execution triggers deterministically on directory entry with no race conditions or special environment requirements.

Blast Radius

  • Executes arbitrary shell commands in the context of the victim's user account, giving the attacker full control over anything that user can do on the host.
  • Reads files accessible to the victim, including SSH keys, API tokens, shell history, and local secrets stored in dotfiles or credential managers.
  • Writes or modifies files on the victim's filesystem, including source code, configuration, and deployed artifacts in local working directories.
  • Crashes or disrupts local development services and processes running under the victim's session.

How HarborGuard Handles This

Available on HarborGuard: images containing mise prior to version 2026.3.10 are flagged as CRITICAL the moment the CVE enters any upstream feed, with scan results visible in the pipeline dashboard and routed to the owning team based on each organization's compliance policy. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will automatically initiate a patched-image rebuild the moment jdx/mise ships a corrected release. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with a median time from upstream fix publication to merged patch PR of around 90 minutes for CRITICAL-severity issues. In the interim, compensating controls available to consider include isolating developer workstations and CI runners behind strict network policy to limit which repositories can push .tool-versions files, auditing container images that bundle mise for use in automated pipelines where directory-traversal behavior may be triggered without human review, and disabling or restricting the Tera exec() capability at the environment level if mise configuration allows feature-flag gating of that function.

See how HarborGuard automates this
Affected packages
  • jdx / mise
    < 2026.3.10
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References