Platform
javascript
Component
mise
Fixed in
2026.2.19
CVE-2026-35533 is a high-severity vulnerability affecting Mise, a dev tool manager for Node, Python, CMake, and Terraform. This vulnerability arises from Mise loading trust-control settings from local project .mise.toml files before performing trust checks. An attacker can exploit this by placing a malicious .mise.toml file in a repository, potentially leading to arbitrary code execution. Affected versions include those between 2026.2.18 and 2026.4.5, inclusive; a fix is available in a patched version.
The impact of CVE-2026-35533 is significant. An attacker who can inject a malicious .mise.toml file into a repository used by developers can gain control over the execution environment. This could allow them to execute arbitrary commands, steal sensitive data (API keys, credentials), or even compromise the entire development pipeline. The [env] _.source, templates, hooks, or tasks directives within the .mise.toml file provide avenues for malicious code injection. This vulnerability resembles supply chain attacks where malicious code is introduced through trusted dependencies or configuration files.
CVE-2026-35533 was publicly disclosed on 2026-04-07. The vulnerability's CVSS score of 7.8 (HIGH) indicates a significant risk. There are currently no publicly available proof-of-concept exploits, but the ease of injecting a malicious .mise.toml file suggests that exploitation is likely. It is not currently listed on CISA KEV. Active campaigns are not yet confirmed, but the vulnerability's nature makes it a potential target for supply chain attacks.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35533 is to upgrade to a patched version of Mise. Until an upgrade is possible, carefully scrutinize .mise.toml files from untrusted sources before incorporating them into your projects. Consider implementing a code review process specifically for these configuration files. If you are using a version control system, implement checks to prevent unauthorized modifications to .mise.toml files. As a temporary workaround, you could restrict the directories from which Mise loads .mise.toml files, though this may impact functionality. After upgrading, verify the fix by attempting to load a known malicious .mise.toml file and confirming that it is rejected.
Update to a version of mise posterior to 2026.4.5. This update fixes the vulnerability by strengthening trust controls to prevent the loading of malicious configurations from local .mise.toml files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35533 is a high-severity vulnerability in Mise, a dev tool manager, allowing attackers to inject malicious TOML code via .mise.toml files, potentially leading to arbitrary code execution.
You are affected if you are using Mise versions 2026.2.18 through 2026.4.5 and have not upgraded to a patched version.
Upgrade to a patched version of Mise. Until then, carefully review .mise.toml files from untrusted sources.
While no public exploits are currently known, the vulnerability's nature makes it a potential target for supply chain attacks.
Refer to the official Mise project's security advisories for the most up-to-date information and patch details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.