{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/network-ai--5.9.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["network-ai (\u003c 5.9.1)"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","node.js","linux","macos","software-supply-chain"],"_cs_type":"advisory","_cs_vendors":["Jovancoding"],"content_html":"\u003cp\u003eA critical command injection vulnerability, tracked as CVE-2026-54051, exists in the \u003ccode\u003enetwork-ai\u003c/code\u003e npm package, specifically affecting versions prior to 5.9.1. The flaw stems from a mismatch between the \u003ccode\u003eSandboxPolicy.isCommandAllowed\u003c/code\u003e function, which performs allowlist glob-matching on the entire command string, and the \u003ccode\u003eShellExecutor\u003c/code\u003e which then executes this string directly via \u003ccode\u003e/bin/sh -c\u003c/code\u003e. This discrepancy allows an attacker to inject shell metacharacters (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e$(...)\u003c/code\u003e) into a command that would otherwise be approved by a broad wildcard allowlist entry (e.g., \u003ccode\u003egit *\u003c/code\u003e, \u003ccode\u003enpm *\u003c/code\u003e). This bypasses the intended security control meant to contain a compromised agent, enabling arbitrary command execution with the privileges of the orchestrator process on Linux and macOS systems. The vulnerability was publicly disclosed on June 19, 2026, via a GitHub Security Advisory (GHSA-qw6v-5fcf-5666).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or controls a \u003ccode\u003enetwork-ai\u003c/code\u003e agent process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetwork-ai\u003c/code\u003e orchestrator's \u003ccode\u003eSandboxPolicy\u003c/code\u003e includes a broad wildcard allowlist entry for commands (e.g., \u003ccode\u003egit *\u003c/code\u003e, \u003ccode\u003enpm *\u003c/code\u003e, \u003ccode\u003enode *\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious command string containing shell metacharacters, such as \u003ccode\u003egit status; id \u0026gt; /tmp/pwned.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSandboxPolicy.isCommandAllowed\u003c/code\u003e function evaluates the full malicious string, and due to the glob-matching logic, it incorrectly determines the command is allowed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eShellExecutor.execute\u003c/code\u003e method proceeds to execute the approved string by invoking \u003ccode\u003e/bin/sh -c \u0026quot;git status; id \u0026gt; /tmp/pwned.txt\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/bin/sh\u003c/code\u003e interpreter processes the shell metacharacters (specifically the semicolon), executing both \u003ccode\u003egit status\u003c/code\u003e and the injected \u003ccode\u003eid \u0026gt; /tmp/pwned.txt\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eArbitrary command execution is achieved, typically as the orchestrator process, allowing the attacker to bypass the intended sandbox controls and potentially escalate privileges or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54051 leads to arbitrary command execution on the system running the \u003ccode\u003enetwork-ai\u003c/code\u003e orchestrator process. This vulnerability completely undermines the primary security mechanism designed to prevent a compromised agent from executing unauthorized commands. Attackers can leverage this to gain full control over the orchestrator, leading to data exfiltration, further lateral movement, or deployment of additional malicious payloads. While specific victim numbers are not provided, any organization utilizing \u003ccode\u003enetwork-ai\u003c/code\u003e with broad wildcard allowlist entries in its \u003ccode\u003eSandboxPolicy\u003c/code\u003e on Linux or macOS systems is susceptible to this critical flaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade immediately:\u003c/strong\u003e Update \u003ccode\u003enetwork-ai\u003c/code\u003e package to version 5.9.1 or later to apply the patch for CVE-2026-54051.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRefine allowlists:\u003c/strong\u003e Review and harden \u003ccode\u003eSandboxPolicy\u003c/code\u003e allowlist configurations, avoiding overly broad wildcard entries like \u003ccode\u003enode *\u003c/code\u003e or \u003ccode\u003enpm *\u003c/code\u003e even after patching.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable logging:\u003c/strong\u003e Ensure \u003ccode\u003eprocess_creation\u003c/code\u003e logging (e.g., via Sysmon for Linux/macOS) is enabled to capture execution of shell interpreters and their command-line arguments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma rules:\u003c/strong\u003e Deploy the provided Sigma rules to detect suspicious \u003ccode\u003esh -c\u003c/code\u003e invocations and anomalous command executions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T13:43:05Z","date_published":"2026-06-19T13:43:05Z","id":"https://feed.craftedsignal.io/briefs/2026-06-network-ai-cmd-injection/","summary":"The `network-ai` package, versions prior to 5.9.1, is vulnerable to a critical command injection flaw (CVE-2026-54051) where the `ShellExecutor` component fails to properly neutralize shell metacharacters when processing commands, allowing an attacker to achieve arbitrary command execution as the orchestrator process by bypassing allowlist controls.","title":"Network-AI: Improper Neutralization of Special Elements used in an OS Command (CVE-2026-54051)","url":"https://feed.craftedsignal.io/briefs/2026-06-network-ai-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Network-Ai (\u003c 5.9.1)","version":"https://jsonfeed.org/version/1.1"}