CVE-2026-35370: uutils coreutils has an Incorrect Authorization issue

April 22, 2026 (updated April 30, 2026)

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user’s real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.

References

github.com/advisories/GHSA-q94g-3gcf-66x7
github.com/uutils/coreutils
github.com/uutils/coreutils/issues/10006
nvd.nist.gov/vuln/detail/CVE-2026-35370

Code Behaviors & Features

Detect and mitigate CVE-2026-35370 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →