ouroboros-ai Vulnerable to Remote Code Execution via Untrusted Project-Directory .env

Description

Impact

A Remote Code Execution (RCE) vulnerability was discovered in Ouroboros. If a user clones a malicious repository and runs Ouroboros commands within that directory, it can lead to arbitrary code execution and potential system takeover.

The vulnerability (CWE-426: Untrusted Search Path & CWE-15: External Control of System Setting) stems from Ouroboros loading the .env file from the current working directory. Prior to the patch, execution-affecting environment variables such as OUROBOROS_CLI_PATH, OPENCODE_CLI_PATH, and other backend selectors were accepted directly from this local .env. An attacker could include a malicious script in the repository and point the CLI path variable to it (e.g., OUROBOROS_CLI_PATH=./malicious_script.sh). When the user executes a command like ouroboros init or any command that instantiates the adapter, the malicious script is executed instead of the intended CLI.

Patches

The vulnerability has been patched in version 0.39.0 via PR #1078.
The fix establishes a strict trust boundary by applying a denylist to project-local .env loading. It blocks execution-affecting environment variables (such as runtime selectors and CLI path overrides) from being loaded from the project directory. Explicit constructor overrides and trusted user-owned home configurations (~/.ouroboros/.env) remain fully functional.

Users are strongly advised to upgrade to version 0.39.0 or later.

Workarounds

If upgrading is not immediately possible, users must carefully inspect any .env file inside cloned repositories before running Ouroboros commands to ensure it does not contain unexpected OUROBOROS_*_CLI_PATH or OPENCODE_CLI_PATH overrides.

References

  • GitHub PR: https://github.com/Q00/ouroboros/pull/1078

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-29 21:22:41 UTC
Updated
2026-05-29 21:22:42 UTC
GitHub reviewed
2026-05-29 21:22:41 UTC

EPSS Score

No EPSS score in this advisory JSON.

CVSS Scores

Base score Version Severity Vector
8.6 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:A)
User interaction is required in an active way.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-426 Untrusted Search Path

Credits

  • qerogram (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip ouroboros-ai < 0.39.0 0.39.0

References

cvelogic Threat Intelligence