GHSA-jv2h-4p9v-wf5w: ouroboros-ai: Incomplete fix of CVE-2026-47211: untrusted project .env can still reach RCE via omitted execution-routing keys
Summary
Ouroboros-ai had an incomplete security fix where a malicious project's `.env` file (configuration file automatically loaded when code imports the package) could still enable remote code execution (RCE, where an attacker runs commands on your system) through missing environment variable names in the denylist (block list). Additionally, the software was auto-loading configuration files from the current working directory without checking if they were trustworthy, allowing attackers to execute arbitrary commands just by running the tool inside a malicious repository.
Solution / Mitigation
Fixed in version 0.42.1. All vulnerable environment variable keys were added to the `_UNTRUSTED_ENV_DENYLIST`; the automatic working-directory configuration file discovery was removed and replaced with only explicit configuration via the `OUROBOROS_MCP_CONFIG` environment variable and `~/.ouroboros/mcp_servers.yaml` (both from trusted locations). The regression suite (automated tests) now derives from the source denylist to prevent incomplete fixes in the future.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-jv2h-4p9v-wf5w
First tracked: June 19, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%