CVE-2026-42076 Overview
CVE-2026-42076 is a command injection vulnerability in Evolver, a GEP-powered self-evolving engine for AI agents. The flaw resides in the _extractLLM() function, which constructs a curl command using string concatenation and passes it to execSync() without sanitization. Attackers can inject shell metacharacters through the corpus parameter to execute arbitrary commands on the server. The vulnerability affects all versions prior to 1.69.3 and is tracked under [CWE-78] (OS Command Injection). Maintainers patched the issue in version 1.69.3.
Critical Impact
Unauthenticated remote attackers can execute arbitrary shell commands on hosts running vulnerable Evolver deployments, leading to full server compromise.
Affected Products
- Evolver (EvoMap) versions prior to 1.69.3
- Deployments exposing the _extractLLM() code path to untrusted input
- AI agent pipelines that invoke Evolver corpus extraction
Discovery Timeline
- 2026-05-04 - CVE-2026-42076 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42076
Vulnerability Analysis
The vulnerability resides in Evolver's _extractLLM() function. The function builds a shell command line by concatenating the user-controllable corpus parameter into a curl invocation. It then hands the resulting string to Node.js execSync(), which spawns a shell to interpret the command. Because the input never passes through escaping or argument-array execution, shell metacharacters such as ;, |, `, $(), and && retain their special meaning. An attacker who controls the corpus value can append arbitrary commands that the Node.js process executes with its own privileges. Successful exploitation grants remote code execution, enabling credential theft, lateral movement, deployment of persistent backdoors, and tampering with AI agent outputs. Refer to the GitHub Security Advisory GHSA-j5w5-568x-rq53 for technical details.
Root Cause
The root cause is unsafe command construction. _extractLLM() uses string concatenation to embed untrusted input into a shell command and then executes it through execSync(), a shell-invoking API. The function lacks input validation, allowlisting, and shell escaping. Using execFile() or spawn() with an argument array, or shell-quoting helpers, would have prevented the metacharacter injection.
Attack Vector
The attack is reachable over the network and requires no authentication or user interaction. An attacker submits a crafted corpus value containing shell metacharacters through any interface that forwards input to _extractLLM(). The injected payload runs in the same shell context as the parent curl invocation, achieving arbitrary command execution on the host. See the security advisory for proof-of-concept details.
Detection Methods for CVE-2026-42076
Indicators of Compromise
- Unexpected child processes spawned by the Node.js Evolver process, particularly shells (/bin/sh, bash) invoking curl, wget, or download-and-execute chains.
- Outbound network connections from the Evolver host to unrecognized domains immediately following corpus extraction events.
- Application logs containing corpus parameter values with shell metacharacters such as ;, |, `, $(, or &&.
Detection Strategies
- Inspect HTTP request bodies and query parameters routed to Evolver endpoints for shell metacharacters in the corpus field.
- Correlate Node.js process telemetry with shell command execution to flag deviations from the normal curl invocation pattern.
- Hunt for newly created files, cron entries, or systemd units written by the Evolver service account after suspicious requests.
Monitoring Recommendations
- Enable verbose application logging for _extractLLM() invocations and forward logs to a central SIEM.
- Alert on any process tree where the Evolver runtime is the parent of an interactive shell or networking tool other than curl.
- Monitor egress traffic from servers running Evolver and baseline expected destinations for the AI agent workload.
How to Mitigate CVE-2026-42076
Immediate Actions Required
- Upgrade Evolver to version 1.69.3 or later as published in the GitHub EvoMap Release v1.69.3.
- Audit application logs and host telemetry for prior exploitation attempts targeting the corpus parameter.
- Rotate any secrets, API keys, or tokens accessible to the Evolver process if compromise is suspected.
Patch Information
The maintainers fixed the issue in Evolver 1.69.3. The patch removes the unsafe string concatenation in _extractLLM() and uses a safe argument-array invocation that prevents shell metacharacter interpretation. Patch notes are available in the GitHub EvoMap Release v1.69.3 and the GitHub Security Advisory GHSA-j5w5-568x-rq53.
Workarounds
- If immediate upgrade is not possible, restrict network access to Evolver endpoints so only trusted internal callers can submit corpus input.
- Place a reverse proxy or web application firewall in front of Evolver and reject requests whose corpus parameter contains shell metacharacters.
- Run the Evolver service under a least-privilege account inside a container or sandbox to limit the blast radius of any successful injection.
# Configuration example: upgrade to the patched release
npm install evolver@1.69.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
