CVE-2026-33310 Overview
CVE-2026-33310 is a command injection vulnerability affecting Intake, a Python package designed for finding, investigating, loading, and disseminating data. The vulnerability exists in the catalog parsing process where the shell() syntax within parameter default values is automatically expanded during catalog parsing. When a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML file, embedded commands could execute on the host system without explicit user consent.
Critical Impact
Attackers can achieve remote code execution by crafting malicious Intake catalog YAML files that execute arbitrary shell commands when loaded by unsuspecting users.
Affected Products
- Intake versions prior to 2.0.9
- Any application using vulnerable Intake library to parse untrusted catalog files
- Systems where users may load external or untrusted YAML catalog sources
Discovery Timeline
- 2026-03-24 - CVE-2026-33310 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33310
Vulnerability Analysis
This vulnerability stems from unsafe default behavior in the Intake library's catalog processing mechanism. The getshell parameter, which controls whether shell command expansion is allowed during catalog parsing, was set to True by default. This design choice enables the automatic execution of any commands embedded within shell() syntax in catalog YAML files.
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. When a user loads a YAML catalog file from an untrusted source, any shell() directives within parameter defaults are executed immediately during the parsing phase, before the user has any opportunity to inspect or validate the content.
Root Cause
The root cause is the insecure default configuration where the getshell parameter was initialized to True in multiple components of the Intake library. This default setting allowed shell command expansion during catalog parsing without requiring explicit user opt-in. The affected code paths include the catalog base module and entry module, where the constructor methods accepted getshell=True as the default parameter value.
Attack Vector
An attacker can exploit this vulnerability by distributing a malicious Intake catalog YAML file containing embedded shell commands. The attack requires user interaction—specifically, the victim must load the malicious catalog file. The attack vector is network-based, as malicious catalogs can be distributed via URLs, shared repositories, or any data sharing mechanism. Once a victim's Intake instance parses the malicious catalog, the embedded shell commands execute with the privileges of the user running the application.
The security patch disables shell expansion by default:
metadata=None,
ttl=60,
getenv=True,
- getshell=True,
+ getshell=False,
persist_mode="default",
storage_options=None,
user_parameters=None,
Source: GitHub Commit d0c0b6b
The fix was also applied to the entry module:
and by remote entries (read from a server).
"""
- def __init__(self, getenv=True, getshell=True):
+ def __init__(self, getenv=True, getshell=False):
self._default_source = None
self.getenv = getenv
self.getshell = getshell
Source: GitHub Commit d0c0b6b
Detection Methods for CVE-2026-33310
Indicators of Compromise
- Unexpected process spawning from Python applications using Intake
- Suspicious YAML catalog files containing shell() directives in parameter defaults
- Network connections or file system modifications initiated during catalog loading operations
- Command execution events correlated with Intake catalog parsing activity
Detection Strategies
- Monitor for suspicious child process creation from Python processes that use the Intake library
- Implement file integrity monitoring on catalog YAML files to detect malicious modifications
- Scan catalog files for shell() syntax patterns before loading
- Deploy endpoint detection rules to identify command injection patterns in YAML files
Monitoring Recommendations
- Enable logging for all catalog file loads in Intake-based applications
- Configure alerts for unusual shell command execution patterns from data processing applications
- Review and audit third-party catalog sources before integration into production systems
- Implement application-level logging to track which catalog files are loaded and from which sources
How to Mitigate CVE-2026-33310
Immediate Actions Required
- Upgrade Intake to version 2.0.9 or later immediately
- Audit all existing catalog YAML files for potentially malicious shell() directives
- Restrict loading of catalog files from untrusted or external sources
- Review application code to ensure getshell is explicitly set to False if upgrade is delayed
Patch Information
The vulnerability has been addressed in Intake version 2.0.9, which sets getshell to False by default everywhere. The patch modifies the default behavior in intake/catalog/base.py and intake/catalog/entry.py to disable automatic shell expansion. For detailed patch information, refer to the GitHub Security Advisory GHSA-37g4-qqqv-7m99 and the security patch commit.
Workarounds
- Explicitly set getshell=False when instantiating Intake catalogs if immediate upgrade is not possible
- Implement input validation to scan and reject catalog files containing shell() syntax
- Isolate Intake catalog processing in sandboxed environments with limited system access
- Use network segmentation to prevent catalog loading from untrusted external sources
# Upgrade Intake to patched version
pip install --upgrade intake>=2.0.9
# Verify installed version
pip show intake | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
