CVE-2026-34113: Guardian Language-System Unauthenticated OS Command Injection via id Parameter in speech_text.php
Guardian language-system passes the id GET parameter directly into a PHP exec() call in speech_text.php (line 18) without sanitization: exec(\"php jobs/speech_audio_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an OS command injection vulnerability in Guardian language-system, a PHP-based application. The flaw exists in speech_text.php, where the id GET parameter is passed directly into a PHP exec() call without any sanitization or authentication check, allowing an unauthenticated attacker to reach it over the network by appending shell metacharacters to a simple HTTP request. Successful exploitation gives the attacker arbitrary OS command execution on the server, enabling full system compromise including data theft, file modification, and persistent access. HarborGuard is tracking the advisory for patch availability since no fix version has been published upstream.
HarborGuard Coverage
Detection for CVE-2026-34113 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Guardian language-system at the affected commit. Any image containing a version at or before commit e42c395ec4b03fe62973a669c9209a673838b8a4 is flagged automatically.
AvailableHarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and surfaces it at the top of the severity queue. Per-environment compliance policy weighting is applied before routing the finding to the appropriate team inbox within each customer organization.
AvailableBecause no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. In the meantime, customers with auto-remediation enabled can apply compensating controls such as network-policy isolation rules or egress filtering through HarborGuard-generated policy PRs where their compliance policy permits.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the server running speech_text.php.
- AuthenticationNot required
No credentials or session token of any kind are required; the vulnerable exec() call is reachable by any unauthenticated HTTP request.
- Victim interactionNot required
The attacker sends a crafted HTTP GET request directly to the server; no user action or social engineering is needed.
- Attack complexityDetail
Exploitation is reliable and condition-free; appending shell metacharacters to the id parameter requires no race conditions, memory layout knowledge, or environmental setup.
Blast Radius
- Attacker executes arbitrary OS commands as the web server process user, enabling full read access to all files on the host including credentials, private keys, and application data.
- Attacker can write or overwrite files on the server, modifying application code, configuration, or injecting backdoors for persistent access.
- Attacker can crash or kill running processes on the host, taking down the affected service and any co-located services.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists for CVE-2026-34113, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment Guardian language-system ships a fix. While the vulnerability is unpatched, customers can use HarborGuard to apply compensating controls: network policy isolation to restrict inbound HTTP access to speech_text.php at the container or namespace level, egress filtering to limit outbound connections from the affected workload, and runtime alerting on exec-family syscalls from the PHP process. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be opened automatically as soon as an upstream fix is published. Given the critical severity and zero-barrier exploitability of this issue, immediate manual review of any image containing this component is strongly recommended regardless of auto-remediation configuration.
- guardian / language-system≤ e42c395ec4b03fe62973a669c9209a673838b8a4
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N