CVE-2026-39862
Published: 08 April 2026
Summary
CVE-2026-39862 is a high-severity OS Command Injection (CWE-78) vulnerability in Shopify Tophat. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 42.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the command injection in Tophat prior to 2.5.1 by upgrading to the patched version.
Mandates validation of unsanitized URL query parameters such as 'arguments' to block their direct flow to /bin/bash -c execution.
Restricts and scans user-installed developer tools like vulnerable Tophat versions to prevent their deployment on macOS workstations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via exploitation of a client application (T1203) through OS command injection directly into /bin/bash (T1059.004).
NVD Description
Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker…
more
to execute arbitrary commands on a developer's macOS workstation. Any developer with Tophat installed is vulnerable. For previously trusted build hosts, no confirmation dialog appears. Attacker commands run with the user's permissions. This vulnerability is fixed in 2.5.1.
Deeper analysisAI
CVE-2026-39862 is a remote code execution vulnerability (CWE-78: OS Command Injection) in Tophat, a mobile applications testing harness for macOS workstations. Versions prior to 2.5.1 are affected, where the 'arguments' query parameter from crafted tophat:// or http://localhost:29070 URLs passes unsanitized through URL parsing directly to /bin/bash -c execution, enabling arbitrary command execution.
Any developer with Tophat installed is vulnerable to remote exploitation. An attacker can craft malicious URLs to run commands with the user's permissions on the workstation. For previously trusted build hosts, no confirmation dialog appears, allowing silent execution. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
The vulnerability is addressed in Tophat 2.5.1. Security practitioners should upgrade to this version. Additional mitigation details are available in the GitHub security advisory (GHSA-8x8g-6rv5-mgg2) at https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2 and the fixing pull request at https://github.com/Shopify/tophat/pull/139.
Details
- CWE(s)