Arbitrary Code Injection Affecting ouroboros-ai package, versions [,0.42.1)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-OUROBOROSAI-17675202
  • published29 Jun 2026
  • disclosed19 Jun 2026
  • credithackkim, matte1782

Introduced: 19 Jun 2026

New CVE NOT AVAILABLE CWE-15  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade ouroboros-ai to version 0.42.1 or higher.

Overview

ouroboros-ai is a Specification-first workflow engine for AI coding agents. Works with Claude Code and Codex CLI.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the processing of environment variables such as CODEX_HOME, OPENCODE_CONFIG, OUROBOROS_MCP_CONFIG, and others, which are auto-loaded from untrusted project directories. An attacker can execute arbitrary commands by supplying a malicious .env file or ./.ouroboros/mcp_servers.yaml that redirects configuration or execution paths to attacker-controlled files. This is only exploitable if the application is run from an untrusted or cloned repository directory containing attacker-supplied configuration files.

Workaround

This vulnerability can be mitigated by avoiding execution from untrusted or cloned repository directories and by removing any project-directory .env and ./.ouroboros/mcp_servers.yaml files before running.

References

CVSS Base Scores

version 4.0
version 3.1