{"id":"CVE-2026-55448","summary":"mise: Local credential_command executes untrusted config","details":"mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mise command and no higher-priority GitHub token environment variable is set. This vulnerability is fixed in 2026.6.4.","aliases":["GHSA-29hf-rm4x-xxph"],"modified":"2026-07-15T01:49:08.961140489Z","published":"2026-06-26T16:46:17.280Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55448.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55448.json"},{"type":"ADVISORY","url":"https://github.com/jdx/mise/security/advisories/GHSA-29hf-rm4x-xxph"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55448"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jdx/mise","events":[{"introduced":"0"},{"fixed":"3aaf9f04d148e8fbbc7e9b536a18cfab9d88d54a"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2026.6.4"}],"source":"AFFECTED_FIELD"}}],"versions":["vfox-v2026.6.3","v2026.6.3","vfox-v2026.6.2","v2026.6.2","vfox-v2026.6.1","v2026.6.1","aqua-registry-v2026.6.1","vfox-v2026.5.17","v2026.5.18","vfox-v2026.6.0","v2026.6.0","aqua-registry-v2026.6.0","vfox-v2026.5.16","v2026.5.17","mise-sigstore-v2026.5.6","aqua-registry-v2026.5.9","vfox-v2026.5.15","v2026.5.16","mise-sigstore-v2026.5.5","vfox-v2026.5.14","v2026.5.15","vfox-v2026.5.13","v2026.5.14","vfox-v2026.5.12","v2026.5.13","vfox-v2026.5.11","v2026.5.12","mise-sigstore-v2026.5.3","vfox-v2026.5.10","v2026.5.11","mise-sigstore-v2026.5.2","vfox-v2026.5.9","v2026.5.10","mise-sigstore-v2026.5.1","vfox-v2026.5.8","v2026.5.9","aqua-registry-v2026.5.8","vfox-v2026.5.7","v2026.5.8","mise-sigstore-v2026.5.0","mise-sigstore-v0.1.0","vfox-v2026.5.6","v2026.5.7","vfox-v2026.5.5","v2026.5.6","aqua-registry-v2026.5.7","v2026.5.5","v2026.5.4","aqua-registry-v2026.5.4","v2026.5.3","aqua-registry-v2026.5.3","vfox-v2026.5.2","v2026.5.2","aqua-registry-v2026.5.2","vfox-v2026.5.1","v2026.5.1","aqua-registry-v2026.5.1","vfox-v2026.5.0","v2026.5.0","aqua-registry-v2026.5.0","v2026.4.28","vfox-v2026.4.9","v2026.4.27","aqua-registry-v2026.4.14","v2026.4.26","v2026.4.25","vfox-v2026.4.8","v2026.4.24","vfox-v2026.4.7","v2026.4.23","aqua-registry-v2026.4.13","v2026.4.22","aqua-registry-v2026.4.12","v2026.4.21","v2026.4.20","aqua-registry-v2026.4.11","vfox-v2026.4.6","v2026.4.19","mise-interactive-config-v2026.4.2","aqua-registry-v2026.4.10","vfox-v2026.4.5","v2026.4.18","mise-interactive-config-v2026.4.1","vfox-v2026.4.4","v2026.4.17","aqua-registry-v2026.4.9","v2026.4.16","mise-interactive-config-v2026.4.0","aqua-registry-v2026.4.8","v2026.4.15","aqua-registry-v2026.4.7","v2026.4.14","v2026.4.13","v2026.4.12","aqua-registry-v2026.4.6","v2026.4.11","v2026.4.10","v2026.4.9","aqua-registry-v2026.4.5","vfox-v2026.4.3","v2026.4.8","v2026.4.7","vfox-v2026.4.2","v2026.4.6","v2026.4.5","aqua-registry-v2026.4.4","vfox-v2026.4.1","v2026.4.4","aqua-registry-v2026.4.3","v2026.4.3","v2026.4.2","vfox-v2026.4.0","v2026.4.1","aqua-registry-v2026.4.2","v2026.4.0","aqua-registry-v2026.4.1","vfox-v2026.3.5","v2026.3.18","aqua-registry-v2026.3.11","v2026.3.17","v2026.3.16","aqua-registry-v2026.3.10","v2026.3.15","v2026.3.14","v2026.3.13","aqua-registry-v2026.3.9","v2026.3.12","vfox-v2026.3.4","v2026.3.11","v2026.3.10","aqua-registry-v2026.3.8","vfox-v2026.3.3","v2026.3.9","aqua-registry-v2026.3.7","vfox-v2026.3.2","v2026.3.8","aqua-registry-v2026.3.6","v2026.3.7","aqua-registry-v2026.3.5","v2026.3.6","aqua-registry-v2026.3.4","vfox-v2026.3.1","v2026.3.5","aqua-registry-v2026.3.3","v2026.3.4","aqua-registry-v2026.3.2","v2026.3.3","v2026.3.2","aqua-registry-v2026.3.1","v2026.3.1","vfox-v2026.3.0","v2026.3.0","v2026.2.24","vfox-v2026.2.7","v2026.2.23","v2026.2.22","aqua-registry-v2026.2.18","v2026.2.21","aqua-registry-v2026.2.17","vfox-v2026.2.6","v2026.2.20","aqua-registry-v2026.2.16","v2026.2.19","aqua-registry-v2026.2.15","v2026.2.18","aqua-registry-v2026.2.14","v2026.2.17","aqua-registry-v2026.2.13","v2026.2.16","v2026.2.15","aqua-registry-v2026.2.12","vfox-v2026.2.5","v2026.2.14","mise-interactive-config-v2026.2.3","aqua-registry-v2026.2.11","vfox-v2026.2.4","v2026.2.13","aqua-registry-v2026.2.10","v2026.2.12","aqua-registry-v2026.2.9","v2026.2.11","v2026.2.10","aqua-registry-v2026.2.8","v2026.2.9","mise-interactive-config-v2026.2.2","aqua-registry-v2026.2.7","v2026.2.8","mise-interactive-config-v2026.2.1","v2026.2.7","vfox-v2026.2.3","v2026.2.6","aqua-registry-v2026.2.4","v2026.2.5","aqua-registry-v2026.2.3","v2026.2.4","v2026.2.3","aqua-registry-v2026.2.2","vfox-v2026.2.2","v2026.2.2","aqua-registry-v2026.2.1","vfox-v2026.2.1","v2026.2.1","v2026.2.0","mise-interactive-config-v2026.2.0","vfox-v2026.1.7","v2026.1.12","vfox-v2026.1.6","v2026.1.11","v2026.1.10","vfox-v2026.1.5","v2026.1.9","v2026.1.8","aqua-registry-v2026.1.10","v2026.1.7","aqua-registry-v2026.1.9","vfox-v2026.1.4","v2026.1.6","aqua-registry-v2026.1.8","vfox-v2026.1.3","v2026.1.5","aqua-registry-v2026.1.6","vfox-v2026.1.2","v2026.1.4","aqua-registry-v2026.1.5","vfox-v2026.1.1","v2026.1.3","aqua-registry-v2026.1.4","v2026.1.2","aqua-registry-v2026.1.3","v2026.1.1","aqua-registry-v2026.1.2","v2026.1.0","aqua-registry-v2026.1.1","vfox-v2025.12.13","v2025.12.13","aqua-registry-v2025.12.13","vfox-v2025.12.12","aqua-registry-v2025.12.12","v2025.12.12","v2025.12.11","v2025.12.10","v2025.12.9","v2025.12.8","v2025.12.7","v2025.12.6","v2025.12.5","v2025.12.4","v2025.12.3","v2025.12.2","v2025.12.1","v2025.12.0","v2025.11.11","v2025.11.10","v2025.11.9","v2025.11.8","v2025.11.7","v2025.11.6","v2025.11.5","v2025.11.4","v2025.11.3","v2025.11.2","v2025.11.1","v2025.11.0","v2025.10.21","v2025.10.20","v2025.10.19","v2025.10.18","v2025.10.17","v2025.10.16","v2025.10.15","v2025.10.14","v2025.10.13","v2025.10.12","v2025.10.11","v2025.10.10","v2025.10.9","v2025.10.8","v2025.10.7","v2025.10.6","v2025.10.5","v2025.10.4","v2025.10.3","v2025.10.2","v2025.10.1","v2025.10.0","v2025.9.25","v2025.9.24","v2025.9.23","v2025.9.22","v2025.9.21","v2025.9.20","v2025.9.19","v2025.9.18","v2025.9.17","v2025.9.16","v2025.9.15","v2025.9.14","v2025.9.13","v2025.9.12","v2025.9.11","v2025.9.10","v2025.9.9","v2025.9.8","v2025.9.7","v2025.9.6","v2025.9.5","v2025.9.4","v2025.9.3","v2025.9.2","v2025.9.1","v2025.9.0","v2025.8.21","v2025.8.20","v2025.8.19","v2025.8.18","v2025.8.17","v2025.8.16","v2025.8.15","v2025.8.14","v2025.8.13","v2025.8.12","v2025.8.11","v2025.8.10","v2025.8.9","v2025.8.8","v2025.8.7","v2025.8.6","v2025.8.5","v2025.8.4","v2025.8.3","v2025.8.2","v2025.8.1","v2025.8.0","v2025.7.32","v2025.7.31","v2025.7.30","v2025.7.29","v2025.7.28","v2025.7.27","v2025.7.26","v2025.7.25","v2025.7.24","v2025.7.23","v2025.7.22","v2025.7.21","v2025.7.20","v2025.7.19","v2025.7.18","v2025.7.17","v2025.7.16","v2025.7.15","v2025.7.14","v2025.7.13","v2025.7.12","v2025.7.11","v2025.7.10","v2025.7.9","v2025.7.8","v2025.7.7","v2025.7.4","v2025.7.3","v2025.7.2","v2025.7.1","v2025.7.0","v2025.6.8","v2025.6.7","v2025.6.6","v2025.6.5","v2025.6.4","v2025.6.3","v2025.6.2","v2025.6.1","v2025.6.0","v2025.5.17","v2025.5.16","v2025.5.15","v2025.5.14","v2025.5.13","v2025.5.12","v2025.5.11","v2025.5.10","v2025.5.9","v2025.5.8","v2025.5.7","v2025.5.6","v2025.5.5","v2025.5.4","v2025.5.3","v2025.5.2","v2025.5.1","v2025.5.0","v2025.4.12","v2025.4.11","v2025.4.10","v2025.4.9","v2025.4.8","v2025.4.7","v2025.4.6","v2025.4.5","v2025.4.4","v2025.4.3","v2025.4.2","v2025.4.1","v2025.4.0","v2025.3.11","v2025.3.10","v2025.3.9","v2025.3.8","v2025.3.7","v2025.3.6","v2025.3.5","v2025.3.4","v2025.3.3","v2025.3.2","v2025.3.1","v2025.3.0","v2025.2.9","v2025.2.8","v2025.2.7","v2025.2.6","v2025.2.5","v2025.2.4","v2025.2.3","v2025.2.2","v2025.2.1","v2025.2.0","v2025.1.17","v2025.1.16","v2025.1.15","v2025.1.14","v2025.1.13","v2025.1.12","v2025.1.11","v2025.1.10","v2025.1.9","v2025.1.8","v2025.1.7","v2025.1.6","v2025.1.5","v2025.1.4","v2025.1.3","v2025.1.2","v2025.1.1","v2025.1.0","v2024.12.24","v2024.12.23","v2024.12.22","v2024.12.21","v2024.12.20","v2024.12.19","v2024.12.18","v2024.12.17","v2024.12.16","v2024.12.15","v2024.12.14","v2024.12.13","v2024.12.12","v2024.12.11","v2024.12.10","v2024.12.9","v2024.12.8","v2024.12.7","v2024.12.6","v2024.12.5","v2024.12.4","v2024.12.3","v2024.12.2","v2024.12.1","v2024.12.0","v2024.11.37","v2024.11.36","v2024.11.35","v2024.11.34","v2024.11.33","v2024.11.32","v2024.11.31","v2024.11.30","v2024.11.29","v2024.11.28","v2024.11.27","v2024.11.26","v2024.11.25","v2024.11.24","v2024.11.23","v2024.11.22","v2024.11.21","v2024.11.20","v2024.11.19","v2024.11.18","v2024.11.17","v2024.11.16","v2024.11.15","v2024.11.14","v2024.11.13","v2024.11.12","v2024.11.11","v2024.11.10","v2024.11.9","v2024.11.8","v2024.11.7","v2024.11.6","v2024.11.5","v2024.11.4","v2024.11.3","v2024.11.2","v2024.11.1","v2024.11.0","v2024.10.13","v2024.10.12","v2024.10.11","v2024.10.10","v2024.10.9","v2024.10.8","v2024.10.7","v2024.10.6","v2024.10.5","v2024.10.4","v2024.10.3","v2024.10.2","v2024.10.1","v2024.10.0","v2024.9.13","v2024.9.12","v2024.9.11","v2024.9.10","v2024.9.9","v2024.9.8","v2024.9.7","v2024.9.6","v2024.9.5","v2024.9.4","v2024.9.3","v2024.9.2","v2024.9.1","v2024.9.0","v2024.8.15","v2024.8.14","v2024.8.13","v2024.8.12","v2024.8.11","v2024.8.10","v2024.8.9","v2024.8.8","v2024.8.7","v2024.8.6","v2024.8.5","v2024.8.4","v2024.8.3","v2024.8.2","v2024.8.1","v2024.8.0","v2024.7.5","v2024.7.4","v2024.7.3","v2024.7.2","v2024.7.1","v2024.7.0","v2024.6.6","v2024.6.5","v2024.6.4","v2024.6.3","v2024.6.2","v2024.6.1","v2024.6.0","v2024.5.28","v2024.5.27","v2024.5.26","v2024.5.25","v2024.5.24","v2024.5.23","v2024.5.22","v2024.5.21","v2024.5.20","v2024.5.19","v2024.5.18","v2024.5.17","v2024.5.16","v2024.5.15","v2024.5.14","v2024.5.13","v2024.5.12","v2024.5.11","v2024.5.10","v2024.5.9","v2024.5.8","v2024.5.7","v2024.5.6","v2024.5.5","v2024.5.4","v2024.5.2","v2024.5.1","v2024.5.0","v2024.4.12","v2024.4.11","v2024.4.10","v2024.4.9","v2024.4.8","v2024.4.7","v2024.4.5","v2024.4.4","v2024.4.3","v2024.4.1","v2024.4.0","v2024.3.11","v2024.3.2","v2024.3.1","v2024.2.19","v2024.2.18","v2024.2.17","v2024.2.16","v2024.2.15","v2024.2.14","v2024.2.13","v2024.2.12","v2024.2.11","v2024.2.10","v2024.2.9","v2024.2.8","v2024.2.7","v2024.2.6","v2024.2.5","v2024.2.4","v2024.2.3","v2024.2.2","v2024.2.1","v2024.2.0","v2024.1.35","v2024.1.34","v2024.1.33","v2024.1.32","v2024.1.31","v2024.1.30","v2024.1.29","v2024.1.28","v2024.1.27","v2024.1.26","v2024.1.25","v2024.1.24","v2024.1.23","v2024.1.22","v2024.1.21","v2024.1.20","v2024.1.19","v2024.1.18","v2024.1.17","v2024.1.16","v2024.1.15","v2024.1.14","v2024.1.13","v2024.1.12","v2024.1.11","v2024.1.10","v2024.1.9","v2024.1.8","v2024.1.7","v2024.1.6","v2024.1.5","v2024.1.4","v2024.1.3","v2024.1.2","v2024.1.1","v2024.1.0","v2024.0.0","v2023.12.40","v2023.12.39","v2023.12.38","v2023.12.37","v2023.12.36","v2023.12.35","v2023.12.34","v2023.12.33","v2023.12.32","v2023.12.31","v2023.12.30","v2023.12.29","v2023.12.28","v2023.12.27","v2023.12.26","v2023.12.25","v2023.12.24","v2023.12.23","v2023.12.22","v2023.12.21","v2023.12.20","v2023.12.19","v2023.12.18","v2023.12.17","v2023.12.16","v2023.12.15","v2023.12.14","v2023.12.13","v2023.12.12","v2023.12.11","v2023.12.10","v2023.12.9","v2023.12.8","v2023.12.7","v2023.12.6","v2023.12.5","v2023.12.4","v2023.12.3","v2023.12.2","v2023.12.1","v2023.12.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55448.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}