# [CRIT] [GHSA / CRITICAL] CVE-2026-54051: Network-AI: Improper Neutralization of Special Elements used in an OS Command

**Source:** GitHub Security Advisories
**Published:** 2026-06-19
**Article:** https://github.com/advisories/GHSA-qw6v-5fcf-5666

## Threat Profile

Network-AI: Improper Neutralization of Special Elements used in an OS Command

## Summary

The agent sandbox gates shell commands behind an allowlist (`SandboxPolicy.isCommandAllowed`), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but `ShellExecutor` runs that string through `/bin/sh -c`. So any wildcard allow such as `git *`, `npm *` or `node *` also matches `git status; <anything>`, and a scoped c…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-54051`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1204.002** — User Execution: Malicious File
- **T1059.004** — Command and Scripting Interpreter: Unix Shell
- **T1033** — System Owner/User Discovery
- **T1082** — System Information Discovery

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### Network-AI sandbox escape: node spawns /bin/sh -c with allowlist prefix + shell metacharacter injection

`UC_21_2` · phase: **exploit** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=node (Processes.process_name=sh OR Processes.process_name=bash OR Processes.process_name=dash) Processes.process="*-c*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process
| `drop_dm_object_name(Processes)`
| where match(process,"(?i)\b(git|npm|node|yarn|pnpm)\b") AND match(process,"[;&|`$(){}<>]")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "node"
| where FileName in~ ("sh","bash","dash")
| where ProcessCommandLine has "-c"
| where ProcessCommandLine matches regex @"\b(git|npm|node|yarn|pnpm)\b"
| where ProcessCommandLine matches regex @"[;&|`$(){}<>]"
| where AccountName !endswith "$"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc
```

### Network-AI CVE-2026-54051 post-exploit: Linux recon utilities spawned from shell child of node

`UC_21_3` · phase: **actions** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (sh,bash,dash) (Processes.process_name IN (id,whoami,uname,hostname,curl,wget,nc,ncat,python,python3,perl,ssh-keygen,cat)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessParentFileName =~ "node"
| where InitiatingProcessFileName in~ ("sh","bash","dash")
| where FileName in~ ("id","whoami","uname","hostname","curl","wget","nc","ncat","python","python3","perl","ssh-keygen","cat")
| where AccountName !endswith "$"
| project Timestamp, DeviceName, AccountName, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc
```

### Network-AI CVE-2026-54051 proof-of-concept artifact execution (poc-316.js / PWNED-316.txt)

`UC_21_4` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*poc-316.js*" OR Processes.process="*PWNED-316.txt*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
```

**Defender KQL:**
```kql
union
( DeviceProcessEvents
  | where Timestamp > ago(30d)
  | where ProcessCommandLine has_any ("poc-316.js","PWNED-316.txt")
  | project Timestamp, DeviceName, AccountName, Source="Process", InitiatingProcessFileName, FileName, Evidence=ProcessCommandLine ),
( DeviceFileEvents
  | where Timestamp > ago(30d)
  | where FileName in~ ("poc-316.js","PWNED-316.txt")
  | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, Source="File", InitiatingProcessFileName, FileName, Evidence=FolderPath )
| order by Timestamp desc
```

### Asset inventory: hosts running vulnerable network-ai (CVE-2026-54051, < 5.9.1)

`UC_21_5` · phase: **recon** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve="CVE-2026-54051" by Vulnerabilities.dest Vulnerabilities.signature Vulnerabilities.severity Vulnerabilities.cve
| `drop_dm_object_name(Vulnerabilities)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
```

**Defender KQL:**
```kql
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2026-54051"
| project DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate
| order by DeviceName asc
```

### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-54051: Network-AI: Improper Neutralization of Special

`UC_21_1` · phase: **exploit** · confidence: **High**

**Splunk SPL (CIM):**
```spl
``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-54051: Network-AI: Improper Neutralization of Special ```
| tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime
    from datamodel=Endpoint.Processes
    where (Processes.process_name IN ("poc-316.js"))
    by Processes.dest, Processes.user, Processes.process_name,
       Processes.process, Processes.parent_process_name, Processes.process_path
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| append [
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action IN ("created","modified")
      AND (Filesystem.file_name IN ("poc-316.js"))
    by Filesystem.dest, Filesystem.user, Filesystem.process_name,
       Filesystem.file_path, Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
]
```

**Defender KQL:**
```kql
// Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-54051: Network-AI: Improper Neutralization of Special
// Hunts the actual binaries / paths / commandline fragments named
// in the article instead of a generic technique-class template.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where (FileName in~ ("poc-316.js"))
| project Timestamp, DeviceName, AccountName, FileName,
          FolderPath, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// File-creation events for the named binaries / paths
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType in ("FileCreated","FileModified")
| where (FileName in~ ("poc-316.js"))
| project Timestamp, DeviceName, AccountName, FolderPath,
          FileName, ActionType, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-54051`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 6 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.