Description
SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.




Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g.,  execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.




ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the

--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:

* Run any shell command.
* Exfiltrate environment variables.
* Compromise the CI runner to install backdoors or modify build artifacts.



Credits Disclosed responsibly by kny4hacker.




Mitigation
* Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
* Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
* Users on Wrangler v2 (EOL) should upgrade to a supported major version.
Published: 2026-01-20
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Command Execution via CI/CD Pipeline
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from the --commit‑hash CLI option in the wrangler pages deploy command, which concatenates the supplied value directly into a shell command without validation or sanitization. This omission permits an attacker who can influence the --commit‑hash parameter to inject shell metacharacters and execute arbitrary commands on the system running Wrangler. The primary consequence is the ability to run arbitrary shell commands, exfiltrate sensitive data, or compromise the CI runner, potentially resulting in full system compromise for the build environment.

Affected Systems

The flaw affects all Cloudflare Wrangler releases prior to v4.59.1, v3.114.17, and v2 (which is end‑of‑life). Users employing earlier major versions are vulnerable when using wrangler pages deploy within automated pipelines where --commit‑hash may originate from untrusted sources. The fix is available in Wrangler v4.59.1 and later, v3.114.17 and later, and any supported major release beyond v2.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, but the EPSS score of <1% signals a low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no known large‑scale attacks. The likely attack vector is a compromised or poorly configured CI/CD pipeline that supplies an attacker‑controlled value to the --commit‑hash option. Successful exploitation would require the attacker to have influence over the CI environment, which is a moderate to high limitation for most users. Nonetheless, the ability to execute arbitrary commands poses a serious threat to confidentiality, integrity, and availability of the build system.

Generated by OpenCVE AI on April 18, 2026 at 04:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to at least Wrangler v4.59.1 if using Wrangler v4.
  • Upgrade to at least Wrangler v3.114.17 if using Wrangler v3.
  • If running Wrangler v2, move to a supported major release such as v3 or v4.
  • Ensure that any parameters supplied to wrangler pages deploy, especially --commit‑hash, are sourced from trusted or sanitized inputs.
  • Restrict CI runners to run only necessary commands and monitor for unexpected shell activity.

Generated by OpenCVE AI on April 18, 2026 at 04:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-36p8-mvp6-cv38 Wrangler affected by OS Command Injection in `wrangler pages deploy`
References
Link Providers
https://github.com/cloudflare/workers-sdk cve-icon cve-icon
History

Tue, 27 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cloudflare:wrangler:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Cloudflare
Cloudflare wrangler
Vendors & Products Cloudflare
Cloudflare wrangler

Tue, 20 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g.,  execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version.
Title OS Command Injection in `wrangler pages deploy`
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N'}

Subscriptions

Cloudflare Wrangler
cve-icon MITRE

Status: PUBLISHED

Assigner: cloudflare

Published:

Updated: 2026-01-23T21:54:58.842Z

Reserved: 2026-01-14T08:27:27.244Z

Link: CVE-2026-0933

cve-icon Vulnrichment

Updated: 2026-01-23T19:00:41.854Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T23:16:06.043

Modified: 2026-01-27T21:12:28.557

Link: CVE-2026-0933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses