CVE-2026-45370: python-utcp Exposes Process Secrets via Environment Variables
The National Vulnerability Database (NVD) has detailed CVE-2026-45370, a high-severity vulnerability in python-utcp, the Python implementation of UTCP. Prior to version 1.1.3, the _prepare_environment() function in cli_communication_protocol.py indiscriminately passes a complete copy of os.environ to every CLI subprocess. This design flaw creates a critical exposure vector.
When combined with CVE-2026-45369 (a separate, unspecified vulnerability), an attacker can leverage this behavior to exfiltrate all process-level secrets from a single tool call. This isn’t just a theoretical concern; it means sensitive data — API keys, database credentials, tokens — residing in environment variables are directly exposed if an attacker can trigger a CLI subprocess call. The CVSS score of 7.7 (HIGH) reflects the significant confidentiality impact.
Defenders need to understand the implications here. This isn’t about code execution; it’s about data exfiltration by design. The fix, available in python-utcp version 1.1.3, addresses this by preventing the wholesale copying of environment variables. Organizations using python-utcp must prioritize this patch to close a dangerous information leakage channel.
What This Means For You
- If your organization uses `python-utcp`, you must immediately verify that all deployments are updated to version 1.1.3 or later. Failure to patch CVE-2026-45370, especially if combined with CVE-2026-45369, creates a direct path for attackers to steal critical process-level secrets. Audit your environment variable usage for sensitive data and ensure isolation where possible.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-45370: python-utcp Environment Variable Leakage
title: CVE-2026-45370: python-utcp Environment Variable Leakage
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
Detects the execution of python.exe with a command line indicative of the vulnerable python-utcp library (version prior to 1.1.3) calling cli_communication_protocol.py. This specific call pattern, when combined with CVE-2026-45369, allows for the exfiltration of process secrets via environment variables.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-45370/
tags:
- attack.credential_access
- attack.t1056.001
logsource:
category: process_creation
detection:
selection:
Image|contains:
- 'python.exe'
CommandLine|contains:
- 'cli_communication_protocol.py'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-45370 | Information Disclosure | python-utcp prior to version 1.1.3 |
| CVE-2026-45370 | Information Disclosure | Vulnerable function: _prepare_environment() in cli_communication_protocol.py |
| CVE-2026-45370 | Information Disclosure | Combined with CVE-2026-45369 for exfiltration of process-level secrets |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver
CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...
CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass
CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....
ZITADEL LDAP Filter Injection Exposes Usernames, Attributes
CVE-2026-44671 — ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity...