What happened
Prior to 2026.6.4, mise's trust feature gates config files (mise.toml, .tool-versions) through trust_check. However, task-include directories (mise-tasks/, .mise/tasks/) are loaded via a separate code path that never reaches trust_check. An attacker who places a malicious task-include directory in any shared or cloned repository achieves arbitrary code execution when the victim runs mise tasks. CVSS 8.6 High.
Why it matters
AI/ML CI pipelines frequently use mise to manage tasks (training runs, evals, data pre-processing). A supply-chain poisoned repository or a compromised upstream dependency with task files can silently execute attacker-controlled code in developer and CI environments where AI model pipelines are managed.
Attack vector
A malicious directory contains a task-include directory (mise-tasks/ or .mise/tasks/). When a user runs mise tasks from that directory, the task-include files are loaded on a code path that never calls trust_check, bypassing the trust gate entirely and executing attacker-controlled task definitions.
Affected systems
mise (jdx/mise) < 2026.6.4
Mitigation
Upgrade to mise ≥ 2026.6.4. Advisory: https://github.com/jdx/mise/security/advisories/GHSA-77g9-363w-rccq