CVE-2026-45370

Name of the Vulnerable Software and Affected Versions python-utcp versions prior to 1.1.3

Description The prepare environment() function in cli communication protocol.py passes a complete copy of os.environ to every CLI subprocess. This allows any environment variable in the host process, such as cloud provider credentials, database connection strings, and LLM API keys, to be accessible to injected commands. When combined with a command injection flaw in the substitute utcp args() function, an attacker can exfiltrate all process-level secrets in a single tool call.

Recommendations Update to version 1.1.3 or newer.