CVE-2026-26331 Overview
CVE-2026-26331 is a command injection vulnerability affecting yt-dlp, a popular command-line audio/video downloader. The vulnerability exists in versions starting from 2023.06.21 and prior to 2026.02.21. When the --netrc-cmd command-line option or netrc_cmd Python API parameter is used, an attacker can achieve arbitrary command injection on a user's system through a maliciously crafted URL.
The yt-dlp maintainers assess the impact of this vulnerability as high for anyone utilizing --netrc-cmd in their command/configuration or netrc_cmd in their Python scripts. While the malicious URL itself may appear suspicious, it would be trivial for an attacker to create a seemingly innocent webpage that covertly exploits this vulnerability through HTTP redirects. Users who do not use --netrc-cmd or netrc_cmd are not affected. No evidence has been found of this exploit being used in the wild.
Critical Impact
Arbitrary command execution on systems using yt-dlp with --netrc-cmd option enabled, allowing attackers to fully compromise the target machine through maliciously crafted URLs or HTTP redirects.
Affected Products
- yt-dlp versions 2023.06.21 through 2026.02.20
- yt-dlp Python library with netrc_cmd parameter usage
- Systems running yt-dlp with --netrc-cmd command-line option configured
Discovery Timeline
- 2026-02-24 - CVE-2026-26331 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-26331
Vulnerability Analysis
This vulnerability is classified as CWE-78 (OS Command Injection). The flaw allows remote attackers to execute arbitrary commands on the target system when yt-dlp processes a specially crafted URL while the --netrc-cmd option is in use. The vulnerability is exploitable over the network and requires user interaction (such as clicking a link or being redirected to a malicious URL), but requires no authentication or special privileges.
The attack can be particularly effective because even if users might recognize a suspicious URL, attackers can leverage HTTP redirects from legitimate-looking webpages to deliver the exploit payload, making detection difficult for end users.
Root Cause
The root cause of CVE-2026-26331 lies in insufficient validation of the netrc_machine parameter values before they are passed to shell commands. The vulnerable code failed to restrict input to shell-safe characters, allowing attackers to inject arbitrary commands through specially crafted URL patterns that would be interpreted as valid machine identifiers but contain command injection payloads.
Attack Vector
The attack vector operates through network-based exploitation requiring user interaction. An attacker crafts a malicious URL containing command injection sequences that target the netrc machine parameter processing. When a user with --netrc-cmd configured attempts to process this URL (either directly or via an HTTP redirect from an innocuous-looking page), the injected commands execute with the privileges of the user running yt-dlp.
The following patch demonstrates how the vulnerability was addressed by limiting input to shell-safe characters:
'marafon.mani-beauty.com',
'on.psbook.ru',
]
- _BASE_URL_RE = rf'https?://(?:(?!player02\.)[^.]+\.getcourse\.(?:ru|io)|{"|".join(map(re.escape, _DOMAINS))})'
+ _BASE_URL_RE = rf'https?://(?:(?!player02\.)[a-zA-Z0-9-]+\.getcourse\.(?:ru|io)|{"|".join(map(re.escape, _DOMAINS))})'
_VALID_URL = [
rf'{_BASE_URL_RE}/(?!pl/|teach/)(?P<id>[^?#]+)',
rf'{_BASE_URL_RE}/(?:pl/)?teach/control/lesson/view\?(?:[^#]+&)?id=(?P<id>\d+)',
Source: GitHub Commit Update
The fix changes the URL regex pattern from accepting any character except dots ([^.]+) to only accepting alphanumeric characters and hyphens ([a-zA-Z0-9-]+), preventing command injection through malicious hostname patterns.
Detection Methods for CVE-2026-26331
Indicators of Compromise
- Unusual URLs containing shell metacharacters (;, |, $(), backticks) being processed by yt-dlp
- Unexpected child processes spawned by yt-dlp processes
- Suspicious network connections originating from yt-dlp execution contexts
- Presence of --netrc-cmd with placeholder ({}) in yt-dlp configurations or command history
Detection Strategies
- Monitor process execution trees for yt-dlp spawning unexpected shell commands or child processes
- Implement URL logging and analysis for yt-dlp invocations to identify malicious patterns
- Create detection rules for command injection patterns in URL parameters passed to yt-dlp
- Review HTTP redirect chains in network logs that lead to yt-dlp processing suspicious URLs
Monitoring Recommendations
- Enable detailed logging for yt-dlp operations, particularly when --netrc-cmd is configured
- Deploy endpoint detection rules to identify command injection attempts against media downloaders
- Monitor for outbound network connections from processes that shouldn't be making external requests
- Alert on yt-dlp configuration files containing netrc_cmd with placeholder patterns
How to Mitigate CVE-2026-26331
Immediate Actions Required
- Upgrade yt-dlp to version 2026.02.21 or later immediately
- Audit all systems and scripts using yt-dlp for --netrc-cmd or netrc_cmd usage
- Review recent yt-dlp execution logs for any suspicious URL patterns
- Temporarily disable --netrc-cmd functionality if immediate upgrade is not possible
Patch Information
The vulnerability is fixed in yt-dlp version 2026.02.21. The patch implements strict validation of all netrc "machine" values, limiting them to shell-safe characters and raising an error upon unexpected input. Users should upgrade to this version or later. The fix is available through the GitHub Release 2026.02.21. Additional technical details are available in the GitHub Security Advisory GHSA-g3gw-q23r-pgqm.
Workarounds
- Remove the --netrc-cmd command-line option from all yt-dlp invocations and configurations
- Avoid using the netrc_cmd parameter in Python scripts utilizing the yt-dlp library
- If --netrc-cmd must be used, do not pass a placeholder ({}) in the argument
- Consider using alternative authentication methods such as cookies or direct credential files
# Configuration example
# Verify current yt-dlp version
yt-dlp --version
# Upgrade yt-dlp to the patched version
pip install --upgrade yt-dlp>=2026.02.21
# Alternative: If using system package manager (example for pip-based install)
python3 -m pip install --upgrade yt-dlp
# Check for --netrc-cmd usage in existing configurations
grep -r "netrc-cmd\|netrc_cmd" ~/.config/yt-dlp/ /etc/yt-dlp.conf 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
