Arbitrary Command Execution Vulnerability in mise Dev Tools
CVE-2026-55441

8.6HIGH

Key Information:

Vendor: Jdx
Status: Mise
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-55441?

The mise tool, which manages development environments for languages like Node, Python, CMake, and Terraform, has a vulnerability that enables arbitrary command execution. The issue arises in versions prior to 2026.6.4, where the application's trust settings do not properly gate certain configuration files. Specifically, if a directory includes task files without having a corresponding config file, the application defaults to insecure behavior, allowing commands to be executed without user consent. This exploit can be initiated simply by listing tasks or utilizing shell tab completion when navigating into a clone repository. The vulnerability has been addressed in version 2026.6.4.

Affected Version(s)

mise < 2026.6.4

References

https://github.com/jdx/mise/security/advisories/GHSA-77g9...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-55441 Data

JSON

Jdx

What is CVE-2026-55441?

Affected Version(s)

References

CVSS V3.1

Timeline