EXECUTIVE SUMMARY:
CVE-2026-45152 with a CVSS score of 7.8 is a command injection vulnerability in gitlab.com/uniget-org/cli affecting versions. This vulnerability allows arbitrary command execution through the metadata loading and version check mechanism due to unsafe execution of the `check` field from metadata files using `/bin/bash -c`. An attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as `describe`, `install`, `update`, or `inspect` are performed. This can lead to arbitrary code execution with the privileges of the user running uniget. The ability to execute arbitrary shell commands enables an attacker to potentially exfiltrate sensitive files or escalate privileges. The business impact and consequences if exploited include unauthorized access to sensitive data or system compromise, allowing an attacker to carry out malicious activities. Prerequisites for exploitation include a victim running an affected version of go/gitlab.com/uniget-org/cli and being able to manipulate metadata files loaded by uniget.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45152 with a CVSS score of 7.8 is a command injection vulnerability in gitlab.com/uniget-org/cli affecting versions. This vulnerability allows arbitrary command execution through the metadata loading and version check mechanism due to unsafe execution of the `check` field from metadata files using `/bin/bash -c`. An attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as `describe`, `install`, `update`, or `inspect` are performed. This can lead to arbitrary code execution with the privileges of the user running uniget. The ability to execute arbitrary shell commands enables an attacker to potentially exfiltrate sensitive files or escalate privileges. The business impact and consequences if exploited include unauthorized access to sensitive data or system compromise, allowing an attacker to carry out malicious activities. Prerequisites for exploitation include a victim running an affected version of go/gitlab.com/uniget-org/cli and being able to manipulate metadata files loaded by uniget.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update gitlab.com/uniget-org/cli to version 0.27.3 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-qqq4-5773-pmw5