Vulnerability Details CVE-2026-0933
SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.
Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.
ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the
--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:
* Run any shell command.
* Exfiltrate environment variables.
* Compromise the CI runner to install backdoors or modify build artifacts.
Credits Disclosed responsibly by kny4hacker.
Mitigation
* Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
* Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
* Users on Wrangler v2 (EOL) should upgrade to a supported major version.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 67.2%
CVSS Severity
CVSS v3 Score 9.9
References
Products affected by CVE-2026-0933
-
cpe:2.3:a:cloudflare:wrangler:*
-
cpe:2.3:a:cloudflare:wrangler:2.0.15
-
cpe:2.3:a:cloudflare:wrangler:2.0.16
-
cpe:2.3:a:cloudflare:wrangler:2.0.17
-
cpe:2.3:a:cloudflare:wrangler:2.0.18
-
cpe:2.3:a:cloudflare:wrangler:2.0.19
-
cpe:2.3:a:cloudflare:wrangler:2.0.21
-
cpe:2.3:a:cloudflare:wrangler:2.0.22
-
cpe:2.3:a:cloudflare:wrangler:2.0.23
-
cpe:2.3:a:cloudflare:wrangler:2.0.24
-
cpe:2.3:a:cloudflare:wrangler:2.0.25
-
cpe:2.3:a:cloudflare:wrangler:2.0.26
-
cpe:2.3:a:cloudflare:wrangler:2.0.27
-
cpe:2.3:a:cloudflare:wrangler:2.0.28
-
cpe:2.3:a:cloudflare:wrangler:2.0.29
-
cpe:2.3:a:cloudflare:wrangler:2.1.0
-
cpe:2.3:a:cloudflare:wrangler:2.1.1
-
cpe:2.3:a:cloudflare:wrangler:2.1.10
-
cpe:2.3:a:cloudflare:wrangler:2.1.11
-
cpe:2.3:a:cloudflare:wrangler:2.1.12
-
cpe:2.3:a:cloudflare:wrangler:2.1.13
-
cpe:2.3:a:cloudflare:wrangler:2.1.14
-
cpe:2.3:a:cloudflare:wrangler:2.1.15
-
cpe:2.3:a:cloudflare:wrangler:2.1.2
-
cpe:2.3:a:cloudflare:wrangler:2.1.3
-
cpe:2.3:a:cloudflare:wrangler:2.1.4
-
cpe:2.3:a:cloudflare:wrangler:2.1.5
-
cpe:2.3:a:cloudflare:wrangler:2.1.6
-
cpe:2.3:a:cloudflare:wrangler:2.1.7
-
cpe:2.3:a:cloudflare:wrangler:2.1.8
-
cpe:2.3:a:cloudflare:wrangler:2.1.9
-
cpe:2.3:a:cloudflare:wrangler:2.10.0
-
cpe:2.3:a:cloudflare:wrangler:2.11.0
-
cpe:2.3:a:cloudflare:wrangler:2.11.1
-
cpe:2.3:a:cloudflare:wrangler:2.12.0
-
cpe:2.3:a:cloudflare:wrangler:2.12.1
-
cpe:2.3:a:cloudflare:wrangler:2.12.2
-
cpe:2.3:a:cloudflare:wrangler:2.12.3
-
cpe:2.3:a:cloudflare:wrangler:2.13.0
-
cpe:2.3:a:cloudflare:wrangler:2.14.0
-
cpe:2.3:a:cloudflare:wrangler:2.15.0
-
cpe:2.3:a:cloudflare:wrangler:2.15.1
-
cpe:2.3:a:cloudflare:wrangler:2.16.0
-
cpe:2.3:a:cloudflare:wrangler:2.17.0
-
cpe:2.3:a:cloudflare:wrangler:2.18.0
-
cpe:2.3:a:cloudflare:wrangler:2.19.0
-
cpe:2.3:a:cloudflare:wrangler:2.2.0
-
cpe:2.3:a:cloudflare:wrangler:2.2.1
-
cpe:2.3:a:cloudflare:wrangler:2.2.2
-
cpe:2.3:a:cloudflare:wrangler:2.2.3
-
cpe:2.3:a:cloudflare:wrangler:2.20.0
-
cpe:2.3:a:cloudflare:wrangler:2.3.0
-
cpe:2.3:a:cloudflare:wrangler:2.3.1
-
cpe:2.3:a:cloudflare:wrangler:2.3.2
-
cpe:2.3:a:cloudflare:wrangler:2.4.0
-
cpe:2.3:a:cloudflare:wrangler:2.4.1
-
cpe:2.3:a:cloudflare:wrangler:2.4.2
-
cpe:2.3:a:cloudflare:wrangler:2.4.3
-
cpe:2.3:a:cloudflare:wrangler:2.4.4
-
cpe:2.3:a:cloudflare:wrangler:2.5.0
-
cpe:2.3:a:cloudflare:wrangler:2.6.0
-
cpe:2.3:a:cloudflare:wrangler:2.6.1
-
cpe:2.3:a:cloudflare:wrangler:2.6.2
-
cpe:2.3:a:cloudflare:wrangler:2.7.0
-
cpe:2.3:a:cloudflare:wrangler:2.7.1
-
cpe:2.3:a:cloudflare:wrangler:2.8.0
-
cpe:2.3:a:cloudflare:wrangler:2.8.1
-
cpe:2.3:a:cloudflare:wrangler:2.9.0
-
cpe:2.3:a:cloudflare:wrangler:2.9.1
-
cpe:2.3:a:cloudflare:wrangler:3.0.0
-
cpe:2.3:a:cloudflare:wrangler:3.0.1
-
cpe:2.3:a:cloudflare:wrangler:3.1.0
-
cpe:2.3:a:cloudflare:wrangler:3.1.1
-
cpe:2.3:a:cloudflare:wrangler:3.1.2
-
cpe:2.3:a:cloudflare:wrangler:3.2.0
-
cpe:2.3:a:cloudflare:wrangler:3.3.0
-
cpe:2.3:a:cloudflare:wrangler:3.4.0