Bug 2489315 (CVE-2026-42089)

Summary: CVE-2026-42089 yeoman-environment: Yeoman Environment: Arbitrary code execution via unconfirmed package installation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Yeoman Environment. This vulnerability allows an attacker to install arbitrary packages and execute code during command-line interface (CLI) bootstrap. This occurs because the software installs missing local generator packages from caller-supplied names without user confirmation, particularly when downstream consumers pass attacker-controlled project configurations. The primary impact is arbitrary code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2491377, 2491379    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-16 17:01:26 UTC
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.