GHSA-JV2H-4P9V-WF5W
Vulnerability from github – Published: 2026-06-19 15:12 – Updated: 2026-06-19 15:12Impact
The CVE-2026-47211 fix (0.39.0) added _UNTRUSTED_ENV_DENYLIST to stop an untrusted project-directory .env from redirecting execution. The denylist was incomplete — several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary command execution by shipping a .env (auto-loaded at import, no review step):
- Backend config-home roots
CODEX_HOME,OPENCODE_CONFIG,OPENCODE_CONFIG_DIR,XDG_CONFIG_HOME: a spawned vendor CLI resolves its config from these.CODEX_HOME=./.evil+ committed./.evil/config.tomlredirects the nested Codex agent to attacker config —mcp_servers.<name>.command/args(RCE) andapproval_policy="never"/sandbox_mode="danger-full-access"(silent removal of the human approval gate). (reported by matte1782) - MCP bridge / plugin execution roster
OUROBOROS_MCP_CONFIG(the YAML's servercommand/argsare spawned via stdio_client — RCE),OUROBOROS_PLUGIN_LOCKFILE,OUROBOROS_PLUGIN_TRUST_ROOT(redirect the installed-plugin roster / trust root soooo <name>dispatches into attacker code). (reported by hackkim) - SSRF guard toggle
OUROBOROS_ALLOW_LOCAL_TRANSPORT(re-enables loopback/private MCP transport targets). - Instruction / capability roots
OUROBOROS_AGENTS_DIR,COPILOT_CUSTOM_INSTRUCTIONS_DIRS(replace spawned sub-agent role prompts),OUROBOROS_RUNTIME_PROFILE(backend selector),OUROBOROS_TOOL_CAPABILITIES(override YAML can lower a tool'sapproval_class, weakening the approval gate).
Additionally, the MCP bridge auto-loaded ./.ouroboros/mcp_servers.yaml from the working directory (create_bridge_from_env(cwd=Path.cwd())), so running ooo inside a malicious repo spawned the committed roster's command — RCE with no .env at all. (cwd-branch noted by hackkim)
Patches
Fixed in 0.42.1. All listed keys were added to _UNTRUSTED_ENV_DENYLIST; the cwd auto-discovery branch was removed (only the explicit OUROBOROS_MCP_CONFIG env var and ~/.ouroboros/mcp_servers.yaml remain, both trusted). The regression suite now derives from the source denylist to prevent future drift.
Workarounds
Do not run Ouroboros from an untrusted/cloned repository directory; remove any project-directory .env and ./.ouroboros/mcp_servers.yaml before running.
Credit
Reported privately via coordinated disclosure by matte1782 and hackkim (https://github.com/hackkim).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.42.0"
},
"package": {
"ecosystem": "PyPI",
"name": "ouroboros-ai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.42.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T15:12:25Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThe CVE-2026-47211 fix (0.39.0) added `_UNTRUSTED_ENV_DENYLIST` to stop an untrusted project-directory `.env` from redirecting execution. The denylist was incomplete \u2014 several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary command execution by shipping a `.env` (auto-loaded at import, no review step):\n\n- **Backend config-home roots** `CODEX_HOME`, `OPENCODE_CONFIG`, `OPENCODE_CONFIG_DIR`, `XDG_CONFIG_HOME`: a spawned vendor CLI resolves its config from these. `CODEX_HOME=./.evil` + committed `./.evil/config.toml` redirects the nested Codex agent to attacker config \u2014 `mcp_servers.\u003cname\u003e.command/args` (RCE) and `approval_policy=\"never\"` / `sandbox_mode=\"danger-full-access\"` (silent removal of the human approval gate). (reported by matte1782)\n- **MCP bridge / plugin execution roster** `OUROBOROS_MCP_CONFIG` (the YAML\u0027s server `command`/`args` are spawned via stdio_client \u2014 RCE), `OUROBOROS_PLUGIN_LOCKFILE`, `OUROBOROS_PLUGIN_TRUST_ROOT` (redirect the installed-plugin roster / trust root so `ooo \u003cname\u003e` dispatches into attacker code). (reported by hackkim)\n- **SSRF guard toggle** `OUROBOROS_ALLOW_LOCAL_TRANSPORT` (re-enables loopback/private MCP transport targets).\n- **Instruction / capability roots** `OUROBOROS_AGENTS_DIR`, `COPILOT_CUSTOM_INSTRUCTIONS_DIRS` (replace spawned sub-agent role prompts), `OUROBOROS_RUNTIME_PROFILE` (backend selector), `OUROBOROS_TOOL_CAPABILITIES` (override YAML can lower a tool\u0027s `approval_class`, weakening the approval gate).\n\nAdditionally, the MCP bridge auto-loaded `./.ouroboros/mcp_servers.yaml` from the working directory (`create_bridge_from_env(cwd=Path.cwd())`), so running `ooo` inside a malicious repo spawned the committed roster\u0027s `command` \u2014 RCE with no `.env` at all. (cwd-branch noted by hackkim)\n\n### Patches\nFixed in 0.42.1. All listed keys were added to `_UNTRUSTED_ENV_DENYLIST`; the cwd auto-discovery branch was removed (only the explicit `OUROBOROS_MCP_CONFIG` env var and `~/.ouroboros/mcp_servers.yaml` remain, both trusted). The regression suite now derives from the source denylist to prevent future drift.\n\n### Workarounds\nDo not run Ouroboros from an untrusted/cloned repository directory; remove any project-directory `.env` and `./.ouroboros/mcp_servers.yaml` before running.\n\n### Credit\nReported privately via coordinated disclosure by matte1782 and hackkim (https://github.com/hackkim).",
"id": "GHSA-jv2h-4p9v-wf5w",
"modified": "2026-06-19T15:12:25Z",
"published": "2026-06-19T15:12:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Q00/ouroboros/security/advisories/GHSA-jv2h-4p9v-wf5w"
},
{
"type": "PACKAGE",
"url": "https://github.com/Q00/ouroboros"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ouroboros-ai: Incomplete fix of CVE-2026-47211: untrusted project .env can still reach RCE via omitted execution-routing keys"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.