CVE-2026-45369 HIGH

CVE-2026-45369: python-utcp: Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol

Vendor Universal-Tool-Calling-Protocol

Product python-utcp

Weakness CWE-78

Published May 14, 2026

Last update May 16, 2026

View on NVD All CVEs

CVSS base score

8.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

Description

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Unix) or powershell.exe -Command (Windows), allowing an attacker to inject arbitrary shell commands. This vulnerability is fixed in 1.1.3.

Key dates

Disclosure timeline

May 14, 2026 CVE published

May 16, 2026 Record updated