PT-2026-3738 · Cloudflare · Wrangler

Kny4Hacker

·

Published

2026-01-20

·

Updated

2026-01-21

·

CVE-2026-0933

CVSS v4.0
7.7
VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Wrangler versions prior to 3.114.17 Wrangler versions prior to 4.59.1 Wrangler version 2 (EOL)
Description A command injection issue exists in the 
wrangler pages deploy
command. The issue occurs because the 
--commit-hash
parameter is passed to a shell command without proper validation, allowing an attacker who controls the 
--commit-hash
parameter to execute arbitrary commands on the system running Wrangler. The 
commitHash
variable, obtained from the 
--commit-hash
command-line argument, is directly interpolated into a shell command using template literals. Shell metacharacters are interpreted by the shell, enabling command execution. This primarily affects CI/CD environments where 
wrangler pages deploy
is used in automated pipelines and the 
--commit-hash
parameter is populated from external sources. An attacker could potentially run shell commands, exfiltrate environment variables, or compromise the CI runner. The API Endpoint is 
wrangler pages deploy
and the Vulnerable Parameter is 
--commit-hash
.
Recommendations Wrangler versions prior to 3.114.17 should be upgraded to Wrangler version 3.114.17 or higher. Wrangler versions prior to 4.59.1 should be upgraded to Wrangler version 4.59.1 or higher. Users on Wrangler version 2 (EOL) should upgrade to a supported major version.

Fix

RCE

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2026-0933

Affected Products

Wrangler