Command Injection Vulnerability in Python UTCP by Universal Tool Calling Protocol
CVE-2026-45369

8.3HIGH

Key Information:

Vendor: Universal-tool-calling-protocol
Status: Python-utcp
Vendor: CVE Published:; 14 May 2026

🔔 Create Universal-tool-calling-protocol Vulnerability Alert

What is CVE-2026-45369?

The python-utcp implementation contains a command injection vulnerability due to the insecure handling of user-controlled arguments in the _substitute_utcp_args method. These arguments are directly incorporated into shell command strings, enabling an attacker to execute arbitrary commands on the underlying system via /bin/bash -c on Unix or powershell.exe -Command on Windows. Users are highly encouraged to upgrade to version 1.1.3 or later to mitigate this significant security risk.

Affected Version(s)

python-utcp < 1.1.2

References

https://github.com/universal-tool-calling-protocol/python...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45369 Data

JSON