CVE-2026-41645 Overview
CVE-2026-41645 is a code injection vulnerability [CWE-94] in Nuclei, the YAML-based vulnerability scanner maintained by ProjectDiscovery. The flaw exists in the expression evaluation engine of Nuclei versions 3.0.0 through 3.7.x. A malicious target server can return HTTP response data containing helper/function syntax. When that data is reused by multi-step templates, Nuclei evaluates the attacker-controlled expressions inside its Domain Specific Language (DSL) engine. If the operator launches Nuclei with the -env-vars / -ev flag, the injected expressions can read host environment variables. ProjectDiscovery patched the issue in Nuclei version 3.8.0.
Critical Impact
A hostile scan target can coerce Nuclei into executing supported DSL expressions during multi-step template runs, enabling information disclosure of host environment variables when -env-vars is enabled.
Affected Products
- ProjectDiscovery Nuclei versions 3.0.0 through 3.7.x
- Nuclei Go module github.com/projectdiscovery/nuclei/v3
- Multi-step HTTP template workflows that reuse response data
Discovery Timeline
- 2026-05-08 - CVE-2026-41645 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2026-41645
Vulnerability Analysis
Nuclei templates support a DSL with helper functions delimited by {{ }} markers. The expression engine resolves these expressions against a runtime variable map during request preparation. In multi-step HTTP templates, response data from a prior step can flow into variables used by subsequent steps. The vulnerable code in pkg/protocols/common/expressions/expressions.go did not distinguish between template-authored expressions and helper-function syntax injected by an upstream HTTP response. When the engine encountered attacker-controlled text shaped like a DSL helper call, it evaluated the call against the live variable context. With the -env-vars flag set, the variable context includes host environment variables, allowing a malicious server to exfiltrate secrets through the scanner.
Root Cause
The root cause is improper control of code generation [CWE-94] in the expression evaluator. The evaluate function in expressions.go extracted expressions from data after that data was already populated with response content. The isExpression check in variables.go further executed expr.Evaluate(nil) to validate expressions, which itself triggered helper function evaluation on untrusted strings.
Attack Vector
Exploitation requires the scanner operator to point Nuclei at a malicious target and run a multi-step template. The attacker controls HTTP response content. Successful exploitation does not yield direct code execution on arbitrary code paths, but does allow DSL helper invocation and, with -env-vars enabled, environment variable disclosure. User interaction is required and attack complexity is high because the operator must choose to scan the malicious endpoint with a vulnerable template chain.
// Patch: only evaluate template-authored expressions, before response data is substituted
func evaluate(data string, base map[string]interface{}) (string, error) {
expressions := FindExpressions(data, marker.ParenthesisOpen, marker.ParenthesisClose, base)
// replace simple placeholders (key => value) MarkerOpen + key + MarkerClose and General + key + General to value
data = replacer.Replace(data, base)
// expressions can be:
// - simple: containing base values keys (variables)
// - complex: containing helper functions [ + variables]
// literals like {{2+2}} are not considered expressions
for _, expression := range expressions {
// replace variable placeholders with base values
expression = replacer.Replace(expression, base)
Source: ProjectDiscovery Nuclei commit d2217320
// Patch: isExpression no longer calls Evaluate on untrusted input
if expr == nil {
return true
}
return len(expr.Vars()) == 0
Source: ProjectDiscovery Nuclei commit 6c803c74
Detection Methods for CVE-2026-41645
Indicators of Compromise
- Outbound HTTP responses from scanned targets containing Nuclei DSL helper syntax such as {{getenv(, {{print(, or other helper function names embedded in unusual response fields.
- Nuclei process command lines that include the -env-vars or -ev flag combined with multi-step template execution against untrusted internet targets.
- DNS or HTTP egress from the host running Nuclei to attacker-controlled domains shortly after a scan, suggesting environment variable exfiltration.
Detection Strategies
- Inventory all hosts running the nuclei binary and verify the installed version is 3.8.0 or later.
- Audit CI/CD pipelines, bug bounty automation, and SOC tooling for invocations that combine -env-vars with scanning of arbitrary or user-supplied targets.
- Review custom multi-step templates for response data that flows into subsequent request fields without explicit sanitization.
Monitoring Recommendations
- Log full Nuclei command-line arguments and template names from job runners to detect unsafe flag combinations.
- Monitor egress from scanner hosts and alert on connections that follow scans of low-reputation domains.
- Track Nuclei version drift across scanning infrastructure and fail builds that pin versions below 3.8.0.
How to Mitigate CVE-2026-41645
Immediate Actions Required
- Upgrade Nuclei to version 3.8.0 or later on every host, container image, and CI runner.
- Remove the -env-vars / -ev flag from all Nuclei invocations unless strictly required, and never combine it with scans of untrusted targets.
- Rotate any secrets that were present in environment variables on hosts that ran vulnerable Nuclei builds with -env-vars enabled against external targets.
Patch Information
ProjectDiscovery released the fix in Nuclei v3.8.0. Technical details are documented in GitHub Security Advisory GHSA-jm34-66cf-qpvr and the corresponding fixes in PR #7221 and PR #7321.
Workarounds
- Do not pass -env-vars or -ev on the command line; the option is off by default and standard configurations are not exposed to environment variable disclosure.
- Restrict Nuclei scans of untrusted targets to single-request templates that do not reuse response data in later steps.
- Run Nuclei inside a least-privilege container with a scrubbed environment so that any residual evaluation has no secrets to read.
# Pin Nuclei to a fixed version and confirm patch level
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@v3.8.0
nuclei -version
# Safe invocation: omit -env-vars/-ev when scanning external targets
nuclei -u https://target.example.com -t http/cves/ -severity high,critical
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
