Cloudflare Wrangler Security Flaw: Command Injection Vulnerability in 'pages deploy' (CVE-2026-0933)

A critical command injection vulnerability has been disclosed in Cloudflare's Wrangler CLI tool, a core component for deploying applications to the Cloudflare Workers platform. The flaw, tracked as CVE-2026-0933, resides in the `wrangler pages deploy` command. The security advisory reveals that the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization. This oversight, classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), creates a direct path for an attacker with control over the input to execute arbitrary commands on the host system.

The vulnerability specifically affects the `wrangler` package, a devDependency for countless projects using Cloudflare's serverless and edge computing services. The issue was serious enough to trigger automated security updates, as seen in a GitHub repository where a dependency update PR was automatically opened and closed to bump `wrangler` from version 4.54.0 to the patched version 4.59.1. The presence of an OpenSSF Scorecard badge on the project's page underscores the formal security scrutiny applied to the Cloudflare Workers SDK, the parent repository for Wrangler.

This flaw exposes a significant supply chain risk for developers and organizations deploying via Wrangler. An attacker exploiting this could compromise build pipelines, CI/CD servers, or developer machines during the deployment process. The autoclosed update PR signals that automated dependency management tools are actively responding to the disclosure, but manual intervention is required for projects not using such automation. The fix in v4.59.1 involves proper sanitization of the user-supplied `--commit-hash` parameter before it is passed to the shell, neutralizing the injection vector. All users are urged to update immediately.