CVE-2026-33310: Intake has a Command Injection via shell() Expansion in Parameter Defaults

March 19, 2026 (updated March 25, 2026)

The shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. This behavior could potentially be classified as OS Command Injection / Unsafe Shell Expansion.

References

github.com/advisories/GHSA-37g4-qqqv-7m99
github.com/intake/intake
github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b
github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99
nvd.nist.gov/vuln/detail/CVE-2026-33310

Code Behaviors & Features

Detect and mitigate CVE-2026-33310 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →