External risk intelligence

Mise .tool-versions Arbitrary Command Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-33646

The vulnerability resides in a developer tool used for managing local environment configurations. It requires the victim to download a malicious repository and manually change into that directory, which is a local, developer-centric activity rather than a public-facing network service or internet-exposed endpoint.

Code Injection

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the mise developer tool could allow attackers to run unauthorized commands on a user's system by embedding malicious code within project configuration files. This impacts projects using mise for managing development tools like Node.js, Python, and Terraform.

  • Malicious code can run in projects.
  • It affects developer tool configuration files.
  • Confirm if your teams use this tool.

Attack Path

How an attacker could exploit the issue

An attacker can place a malicious `.tool-versions` file in a shared Git repository. When a user with `mise` configured navigates into that directory, the file is processed by the Tera template engine, which can execute arbitrary commands.

  • Malicious file placed in a Git repository.
  • User navigates into the directory with `mise` active.
  • Arbitrary command execution without user trust.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary commands on a user's system when they navigate into a directory containing a malicious `.tool-versions` file, especially when using mise in non-paranoid mode. The Tera template engine's `exec()` function is leveraged during the processing of these files, and unlike `.mise.toml` files, `.tool-versions` files lack trust verification in this mode.

  • User's system data.
  • Malicious file in a git repository.
  • Arbitrary command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for developer environments and CI/CD pipelines should prioritize addressing this vulnerability. The first step is to identify all instances where `mise` is used, particularly in repositories that might be shared or sourced from untrusted locations. Confirming the business criticality of affected development workflows and identifying the accountable development or platform team will guide remediation efforts.

  • Developer or platform teams own resolution.
  • Verify untrusted `.tool-versions` files.
  • Plan secure environment updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is mise and how is it used?

Mise is a developer utility designed to manage local development environments. It allows engineers to automatically install and switch between different versions of tools like Node.js, Python, CMake, and Terraform. By defining requirements in specific project files, mise ensures that all team members use consistent tool versions for their local coding and testing workflows.

What is the vulnerability in CVE-2026-33646?

This vulnerability is classified as Improper Control of Generation of Code, or CWE-94. It occurs because mise uses the Tera template engine to parse .tool-versions files. Because the engine's exec() function is incorrectly enabled during this process, an attacker can embed malicious commands within these configuration files that execute automatically.

How does an attacker trigger this command execution?

The attack occurs when a user navigates into a directory containing a maliciously crafted .tool-versions file while mise is active in non-paranoid mode. This action triggers the template engine to process the file and execute its contents. Importantly, simply having the file present in a repository is not enough; the user must actively cd into the folder for the command execution to occur.

Do I need to worry about this if I work on internal code?

Halo Surface Signal notes that this is unlikely to affect internet-facing services because it is a developer-centric tool. However, the risk remains relevant if you clone and navigate into untrusted or shared Git repositories that contain malicious configuration files. Even internal repositories could pose a risk if they are compromised or if you pull untrusted code from external sources.

How do I secure my environment against this?

The first step is to identify all developer workstations and CI/CD pipelines where mise is installed. You should immediately update to version 2026.3.10 or later, which includes the necessary fixes. Until you can update, avoid navigating into directories from untrusted sources and be cautious of .tool-versions files in repositories you do not personally maintain.

References