Bug 2450890 (CVE-2026-32948)

Summary:	CVE-2026-32948 org.scala-sbt/sbt: sbt: Arbitrary command execution via unvalidated URI fragments on Windows
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	asoldano, bbaranow, bmaxwell, bstansbe, dlofthou, istudens, ivassile, iweiss, mosmerov, msvehla, nwallace, pberan, pesilva, pjindal, pmackay, rstancel, smaestri, thjenkin, vdosoudi
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in sbt, a build tool for Scala and Java. On Windows, sbt uses the `cmd /c` command interpreter to execute version control system (VCS) commands. A remote attacker can exploit this by providing a specially crafted URI fragment (such as a branch, tag, or revision name) in the build definition. Because `cmd /c` interprets special characters as command separators, this lack of validation allows the attacker to inject and execute arbitrary commands on the system where sbt is running.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-24 20:01:44 UTC

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.