Is Python affected by CVE-2026-29075?

CVE-2026-29075 affects Mesa, an open-source Python library used for agent-based modeling simulations. The vulnerability allows arbitrary code execution when untrusted code is checked out in GitHub Actions workflows, potentially compromising build infrastructure and CI/CD pipelines.

CVE-2026-29075

HIGH

2026-03-06 [email protected]

8.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

Patch Released

Mar 11, 2026 - 00:21 nvd

Patch available

CVE Published

Mar 06, 2026 - 17:16 nvd

HIGH 8.3

Description

Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd.

Analysis

Unsafe checkout of untrusted code in Mesa's benchmarks.yml GitHub Actions workflow prior to version 3.5.1 enables arbitrary code execution with elevated privileges on CI/CD runners. An attacker can exploit this by submitting malicious pull requests to execute commands in the privileged runner environment, potentially compromising the build pipeline and downstream users. …

Remediation

Within 24 hours: Inventory all internal and third-party use of Mesa library versions 3.5.0 and prior; notify teams running Mesa-dependent workflows. Within 7 days: Upgrade Mesa to patched version for all production and development systems; audit GitHub Actions workflows using benchmarks.yml for untrusted code checkout patterns. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +42

POC: 0

CVE-2026-29075 vulnerability details – vuln.today

Back

CVE-2026-29075

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-29075

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code