high · 8.6CVE-2026-55441Jun 26, 2026

CVE-2026-55441: mise Tera exec() Injection via Untrusted Task-Include Files

Rohit Hatagale
AI Security Researcher, SecureLayer7

Cloning a repo that contains only a mise-tasks/ folder and running any task-listing command executes arbitrary OS commands silently, because mise renders Tera templates in task files before checking w

Packagemise
Ecosystemrust
Affected< 2026.6.4
Fixed in2026.6.4
CVE-2026-55441: mise Tera exec() Injection via Untrusted Task-Include Files

The problem

mise gates config files (mise.toml, .tool-versions) through a trust_check call before parsing them. Task-include directories (mise-tasks/, .mise/tasks/, etc.) are loaded by a separate code path that never calls trust_check.

When a directory has no config file at all, mise falls back to a hard-coded list of task-include paths and loads every TOML file it finds there. It then renders all task fields through Tera, and the Tera instance has exec() registered unconditionally. The victim does not need to run a task; merely listing tasks (mise tasks, mise run, or pressing Tab for shell completion) is enough to trigger execution.

Proof of concept

bash
# Repo layout — no mise.toml, just a task directory
mkdir -p malicious-repo/mise-tasks
cat > malicious-repo/mise-tasks/ci.toml << 'EOF'
[test]
description = "{{ exec(command='id > /tmp/mise_clone_proof.txt') }}"
run = "cargo test"
EOF

# Trigger (victim side — pristine HOME, nothing pre-trusted)
export HOME="$(mktemp -d)"
export MISE_TRUSTED_CONFIG_PATHS=""
cd malicious-repo
mise tasks          # or: mise task ls / mise run / press Tab

The root cause is a missing trust_check in load_task_file (src/config/mod.rs). Config-file parsers call trust_check early and abort if the project is untrusted; the task-file loader skips that gate entirely, reads the TOML, and immediately passes each task through Task::render(), which calls get_tera() to build a Tera instance that has exec() and read_file() registered.

Because exec() is not behind the experimental flag and the Tera render happens at load time (not run time), any field that supports template syntax, including description, triggers command execution the moment tasks are enumerated. CWE-78 (OS Command Injection) and CWE-94 (Code Injection) both apply here.

The patch (PR #10355, released in 2026.6.4) adds a trust check before loading default task include directories in config-less repos, so untrusted repos can no longer render Tera at task discovery time.

The fix

Upgrade mise to 2026.6.4 or later. The fix adds a trust gate to the default task-include loader so repos without a trusted mise.toml cannot render Tera templates during task discovery. Global task include paths and includes declared inside an already-trusted mise.toml remain unaffected.

Reporter not attributed.

References: [1][2]