CVE-2026-45369: Python-UTCP RCE via Unsanitized Shell Commands

/HIGH /CVSS 8.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-78
CVE-2026-45369: Python-UTCP RCE via Unsanitized Shell Commands

The National Vulnerability Database has detailed a critical vulnerability, CVE-2026-45369, affecting python-utcp versions prior to 1.1.3. This flaw resides in the _substitute_utcp_args method within cli_communication_protocol.py. It allows user-controlled arguments to be directly embedded into shell commands without proper sanitization or escaping. The commands are then executed using /bin/bash -c on Unix-like systems or powershell.exe -Command on Windows, opening the door for arbitrary command injection.

The National Vulnerability Database highlights a CVSS score of 8.3 (HIGH) for this vulnerability, underscoring its severity. Attackers can exploit this by tricking a user into triggering the vulnerable function, leading to remote code execution on the target system. The impact could range from data exfiltration to full system compromise, depending on the privileges of the running process.

Defenders should prioritize upgrading python-utcp to version 1.1.3 or later immediately. For organizations unable to patch promptly, implementing strict input validation and output encoding for any user-supplied data that might be passed to shell commands is crucial. Network monitoring for unusual shell command executions originating from python-utcp processes can also provide early detection.

What This Means For You

  • If your development or operational teams use python-utcp, verify your version is at least 1.1.3. If not, patch immediately. Audit any code that passes user-controlled data to `_substitute_utcp_args` to prevent exploitation.

Related ATT&CK Techniques

T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1059.001 Command and Scripting Interpreter: PowerShell Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.004 Execution

CVE-2026-45369: Python-UTCP RCE via Unsanitized Shell Commands

Sigma YAML — free preview 
title: CVE-2026-45369: Python-UTCP RCE via Unsanitized Shell Commands
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects the execution of /bin/bash -c or powershell.exe -Command when the command line indicates the use of the vulnerable python-utcp library, specifically targeting the _substitute_utcp_args method which executes unsanitized shell commands. This is a direct indicator of exploitation for CVE-2026-45369.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45369/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - '/bin/bash'
          - 'powershell.exe'
      CommandLine|contains:
          - 'python-utcp'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45369 Command Injection python-utcp versions prior to 1.1.3
CVE-2026-45369 Command Injection Vulnerable method: _substitute_utcp_args in cli_communication_protocol.py
CVE-2026-45369 Command Injection User-controlled tool_args values are unsanitized
CVE-2026-45369 Command Injection Execution via /bin/bash -c (Unix) or powershell.exe -Command (Windows)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...

vulnerabilityCVEmedium-severitycwe-674
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass

CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....

vulnerabilityCVEmedium-severityauthentication-bypasscwe-306
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

ZITADEL LDAP Filter Injection Exposes Usernames, Attributes

CVE-2026-44671 — ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity...

vulnerabilityCVEhigh-severityauthentication-bypasscwe-90
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma