Cloudflare wrangler SDK Contains Critical OS Command Injection Vulnerability in pages deploy (CVE-2026-0933)

A critical OS command injection vulnerability has been identified in Cloudflare's wrangler tool, the official CLI for Cloudflare Workers and Pages developers. The flaw, tracked as CVE-2026-0933 (GHSA-36p8-mvp6-cv38), specifically affects the `wrangler pages deploy` function and has prompted an emergency dependency update from version 4.29.1 to 4.59.1.

The vulnerability allows attackers to execute arbitrary operating system commands through the Pages deployment pipeline. Wrangler serves as the primary development interface for Cloudflare's edge computing platform, meaning any compromise in the deployment workflow could expose developer environments, CI/CD pipelines, or production infrastructure to remote code execution. The severity is compounded by wrangler's deep integration with Cloudflare's infrastructure, where unauthorized command execution could potentially escalate to broader cloud environment access.

Cloudflare has addressed the vulnerability in the latest release of the Workers SDK package. Organizations using wrangler for Pages deployments should verify their current version and update immediately. Given the active development cycle reflected in the version jump (4.29.1 to 4.59.1), users should also audit any custom scripts or automation that interact with wrangler's command interface. The CVSS scoring and technical details remain under review as the security community assesses the full scope of affected deployments.