HarborGuard / CVE
Back to search
HIGHCVE-2026-45152Published Modified CNA GitHub_M

CVE-2026-45152: uniget: Command Injection in tool.Check Leading to Arbitrary Code Execution

uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Command injection in uniget (the universal tool installer and updater for container environments) allows an attacker who controls metadata files to execute arbitrary shell commands on the victim's system. The vulnerability is reached locally and requires the victim to perform a common uniget operation such as describe, install, update, or inspect, triggering unsanitized execution of the check field via /bin/bash -c. Successful exploitation gives the attacker full code execution with the privileges of the user running uniget. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle uniget. Any image carrying an affected version of uniget-org/cli is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network exposure is required to stage the attack.

  • AuthenticationNot required

    No account or credential is required; the attack is delivered through a crafted metadata file rather than any authenticated interface.

  • Victim interactionRequired

    The victim must run a uniget operation (such as describe, install, update, or inspect) that triggers parsing of the malicious metadata, making this a social-engineering or supply-chain-staging scenario.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the malicious metadata is in place; no race conditions or memory-layout dependencies are involved.

Blast Radius

  • Reads files and secrets accessible to the user running uniget, including environment variables, SSH keys, and local credential stores.
  • Writes or modifies files on the host with the same user's permissions, enabling persistence or tampering with local tooling.
  • Executes arbitrary processes on the host, up to and including spawning reverse shells or lateral-movement tools.
  • Crashes or corrupts the local uniget installation and any dependent tooling if the injected payload targets those resources.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against every image in customer registries and pipelines that bundles uniget-org/cli below version 0.27.1. Because no upstream patch exists yet, HarborGuard monitors the advisory on each ingest cycle and will make a patched-image rebuild available the moment the upstream project publishes a fix. In the interim, customers can apply compensating controls through HarborGuard policy: flagging or blocking images that include uniget, enforcing network-policy isolation on build environments where uniget runs, and restricting egress from those environments to limit the damage radius of any successful injection. Where compliance policy permits auto-remediation, a rebuild, regression test run, and PR against affected workloads will be initiated automatically once a fix version is confirmed upstream.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • uniget-org / cli
    < 0.27.1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2026-45152: uniget: Command Injection in tool.Check Leading to Arbitrary Code Execution | HarborGuard CVE