Remote Code Execution Vulnerability in Tophat by Shopify
CVE-2026-39862

6.3MEDIUM

Key Information:

Vendor: Shopify
Status: Tophat
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-39862?

Tophat, a mobile applications testing harness developed by Shopify, has a vulnerability that allows attackers to execute arbitrary commands on a developer's macOS workstation. By utilizing specially crafted URLs (tophat:// or http://localhost:29070), attackers can manipulate the arguments query parameter, which is not properly sanitized, leading to the execution of commands via /bin/bash -c. This poses a significant risk for developers using Tophat, especially on previously trusted build hosts where no confirmation dialog is presented. The vulnerability is addressed in version 2.5.1, which is recommended for all users.

Affected Version(s)

tophat < 2.5.1

References

https://github.com/Shopify/tophat/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/Shopify/tophat/pull/139

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39862 Data

JSON