Attack Chain

1. The attacker crafts a malicious JSON metadata file containing a payload within the check field.
2. The attacker places the malicious metadata file in the uniget metadata cache directory (~/.local/var/cache/uniget/).
3. The user executes a uniget command such as describe, install, update, or inspect targeting a tool defined in the malicious metadata.
4. Uniget loads the metadata for the specified tool using json.Unmarshal().
5. The tool.Check field is populated with the attacker-controlled command from the JSON metadata.
6. Uniget executes the command defined in the tool.Check field using /bin/bash -c.
7. The shell interprets any shell metacharacters present in the command, resulting in command injection.
8. The attacker’s injected commands are executed with the privileges of the user running uniget, potentially leading to complete system compromise.

Impact

This command injection vulnerability allows an attacker to execute arbitrary code on a vulnerable system. This can lead to the exfiltration of sensitive data, installation of malware, or modification of system configurations. Compromised systems could be leveraged for further attacks within a network. This issue primarily affects users who import or process attacker-controlled metadata, potentially including CI/CD environments using uniget automation. Successful exploitation grants the attacker the same privileges as the user running uniget, potentially leading to complete system compromise.

Recommendation

• Upgrade to uniget version 0.27.1 or later to patch CVE-2026-45152.
• Deploy the Sigma rules in this brief to your SIEM to detect exploitation attempts.
• If upgrading is not immediately feasible, avoid using uniget with untrusted metadata sources.
• Monitor process creation events for /bin/bash -c executing commands sourced from uniget metadata locations, as detected by the Sigma rules.