CVE-2026-42168 in django-pyas2info

Summary

by MITRE • 07/17/2026

django-pyas2 through 1.2.3 is vulnerable to OS command injection via the cmd_receive and cmd_send fields on the Partner model. These fields are passed directly to os.system() in pyas2/utils.py without sanitization, allowing an authenticated admin user to execute arbitrary commands on the server when an AS2 message is received or sent.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/17/2026

The django-pyas2 library version 1.2.3 and earlier contains a critical operating system command injection vulnerability that stems from improper input validation within the Partner model's cmd_receive and cmd_send fields. This vulnerability resides in the pyas2/utils.py module where these fields are directly passed to the os.system() function without any sanitization or parameter escaping mechanisms, creating a pathway for malicious command execution on the affected server.

The technical flaw manifests when an authenticated administrator user modifies the cmd_receive or cmd_send fields within the Partner model configuration. These fields are designed to accept shell commands that should execute during AS2 message processing, but due to the lack of input validation, any command entered by the user gets directly interpreted and executed by the operating system shell. This represents a classic command injection vulnerability that falls under CWE-78, which specifically addresses improper neutralization of special elements used in OS commands.

The operational impact of this vulnerability is severe as it allows an authenticated attacker with administrative privileges to execute arbitrary commands on the server hosting the django-pyas2 application. This could potentially lead to complete system compromise, data exfiltration, privilege escalation, or denial of service conditions. The attack requires only administrative access to the web application, making it particularly dangerous in environments where admin credentials might be compromised or where least privilege principles are not properly enforced.

From a cybersecurity perspective, this vulnerability aligns with ATT&CK technique T1059.001 for command and script interpreters, specifically targeting the execution of operating system commands through legitimate system tools. The attack vector represents a privilege escalation scenario where an attacker leverages their administrative access to gain broader system control. Organizations using django-pyas2 should immediately implement mitigations including input validation, parameterized command execution, and proper privilege separation between administrative interfaces and system command execution functions.

The vulnerability demonstrates poor secure coding practices in input handling and process management within the pyas2 library implementation. It underscores the critical importance of validating and sanitizing all user inputs that will be used in system calls, particularly when these inputs originate from administrative configuration interfaces. The fix requires either implementing proper input validation mechanisms or using safer alternatives to os.system() such as subprocess with properly quoted arguments to prevent command injection attacks.

Organizations should prioritize patching this vulnerability by upgrading to django-pyas2 version 1.2.4 or later, where appropriate sanitization measures have been implemented. Additionally, network segmentation, monitoring of system command execution, and regular security audits of web applications should be conducted to detect potential exploitation attempts. The vulnerability serves as a reminder of the critical need for secure coding practices and proper input validation in all application components that interface with operating system functions, particularly those accessible through administrative user interfaces.

Responsible

MITRE

Reservation

04/24/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!