CVE-2026-35533
HIGHmise 2026.2.18-2026.4.5 Local Settings - Config Trust Bypass
Title source: manualDescription
mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as [env] _.source, templates, hooks, or tasks.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/jdx/mise/security/advisories/GHSA-436v-8fw5-4mj8
Scores
CVSS v3
7.7
EPSS
0.0015
EPSS Percentile
4.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-284
Status
published
Products (3)
crates.io/mise
2026.2.18 - 2026.6.4crates.io
jdx/mise
2026.2.18 - 2026.4.5
jdx/mise
>= 2026.2.18, <= 2026.4.5
Published
Apr 07, 2026
Tracked Since
Apr 08, 2026