CVE-2026-47211

Description

### Impact A Remote Code Execution (RCE) vulnerability was discovered in Ouroboros. If a user clones a malicious repository and runs Ouroboros commands within that directory, it can lead to arbitrary code execution and potential system takeover. The vulnerability (CWE-426: Untrusted Search Path & CWE-15: External Control of System Setting) stems from Ouroboros loading the `.env` file from the current working directory. Prior to the patch, execution-affecting environment variables such as `OUROBOROS_CLI_PATH`, `OPENCODE_CLI_PATH`, and other backend selectors were accepted directly from this local `.env`. An attacker could include a malicious script in the repository and point the CLI path variable to it (e.g., `OUROBOROS_CLI_PATH=./malicious_script.sh`). When the user executes a command like `ouroboros init` or any command that instantiates the adapter, the malicious script is executed instead of the intended CLI. ### Patches The vulnerability has been patched in version 0.39.0 via PR #1078. The fix establishes a strict trust boundary by applying a denylist to project-local `.env` loading. It blocks execution-affecting environment variables (such as runtime selectors and CLI path overrides) from being loaded from the project directory. Explicit constructor overrides and trusted user-owned home configurations (`~/.ouroboros/.env`) remain fully functional. Users are strongly advised to upgrade to version 0.39.0 or later. ### Workarounds If upgrading is not immediately possible, users must carefully inspect any `.env` file inside cloned repositories before running Ouroboros commands to ensure it does not contain unexpected `OUROBOROS_*_CLI_PATH` or `OPENCODE_CLI_PATH` overrides. ### References - GitHub PR: https://github.com/Q00/ouroboros/pull/1078

How to fix CVE-2026-47211

To remediate CVE-2026-47211, upgrade the affected package to a fixed version below.

• —upgrade to 0.39.0 or later

Is CVE-2026-47211 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47211.

Affected packages (1)

• from 0, < 0.39.0

CVSS scores

References (4)

• PATCHgithub.com/Q00/ouroboros
• WEBgithub.com/Q00/ouroboros/commit/4e70b760b4eb157469b58645339ba831f6513d37
• WEBgithub.com/Q00/ouroboros/pull/1078
• WEBgithub.com/Q00/ouroboros/security/advisories/GHSA-c4m7-2gwp-vw76