CVE-2026-54557

Name of the Vulnerable Software and Affected Versions mise versions prior to 2026.6.1

Description The HTTP backend in mise improperly handles version strings for non-latest versions when creating install symlinks. Instead of using a sanitized version pathname, it uses the raw resolved version string. On Unix-like systems, if this string is an absolute path, the PathBuf::join function discards the intended installation root directory. This allows a repository-controlled .tool-versions file to force mise to create symlinks outside the designated install tree. When the bin path variable is configured, an attacker can place an executable symlink under an absolute prefix of their choice. If this prefix is included in the system PATH, it can lead to the replacement and execution of trusted commands with attacker-controlled content.

Recommendations Update mise to version 2026.6.1. As a temporary mitigation, avoid using .tool-versions files from untrusted repositories.