CVE-2026-34243
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
A GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner.
Details
The workflow is triggered by issue_comment, which can be controlled by external users. In the following step:
echo identifiers=$(echo "${{ github.event.comment.body }}" | grep -oE '@njzjz-bot .*' | head -n1 | cut -c12- | xargs) >> $GITHUB_OUTPUTthe value of github.event.comment.body is directly interpolated into a shell command inside run:.
Since GitHub Actions evaluates ${{ }} before execution, attacker-controlled input is injected into the shell context without sanitization. This creates a command injection risk.
Additionally, the extracted value is later reused in another step that constructs output using backticks:
echo '@${{ github.event.comment.user.login }} Here is the BibTeX entry for `${{ steps.extract-identifiers.outputs.identifiers }}`:'which may further propagate unsafe content.
PoC
- Go to an issue in the repository
- Post a comment such as:
@njzjz-bot paper123" ) ; whoami ; #
- Observe whether the command is executed or reflected in logs/output
<img width="658" height="203" alt="poc" src="https://github.com/user-attachments/assets/084ac264-8cb9-4721-8279-26a1da9b891f" />
The injected payload successfully breaks out of the quoted context and executes arbitrary shell commands.
As shown in the workflow logs, the injected whoami command is executed, and the output (runner) is printed. This confirms that attacker-controlled input from github.event.comment.body is interpreted as shell commands.
This demonstrates a clear command injection vulnerability in the workflow.
Impact
- Remote attackers can inject arbitrary shell commands via issue comments
- Potential impacts:
- Execution of arbitrary commands in GitHub Actions runner
- Access to
GITHUB_TOKEN - Exfiltration of repository data
- CI/CD pipeline compromise
This issue affects all current versions of the repository as the vulnerable workflow is present in the main branch.
Suggested Fix
Avoid directly interpolating untrusted user input into shell commands.
Instead, pass github.event.comment.body through an environment variable and reference it safely within the script:
- name: Extract identifiers
id: extract-identifiers
env:
COMMENT_BODY: ${{ github.event.comment.body }}
run: |
identifiers=$(echo "$COMMENT_BODY" | grep -oE '@njzjz-bot .*' | head -n1 | cut -c12- | xargs)
echo "identifiers=$identifiers" >> $GITHUB_OUTPUTAnalysisAI
Command injection in njzjz/wenxian GitHub Actions workflow allows unauthenticated remote attackers to execute arbitrary code on CI/CD runners via malicious issue comments. The workflow directly interpolates untrusted user input from issue_comment.body into shell commands without sanitization, enabling attackers to break out of command context and run arbitrary commands. Publicly available exploit code exists with working proof-of-concept demonstrating execution of injected commands. EPSS data not available, but the low attack complexity (AC:L) and unauthenticated access (PR:N) combined with confirmed POC make this a critical risk for any deployment using the vulnerable workflow.
Technical ContextAI
This vulnerability exploits GitHub Actions' expression evaluation mechanism (${{ }}) combined with unsafe shell command construction. The workflow is triggered by the issue_comment event, which processes user-controlled input from issue comments in public repositories. The vulnerability occurs because GitHub Actions evaluates template expressions before passing the resulting string to the shell, meaning the interpolation of github.event.comment.body happens outside the shell's quoting context. The resulting string is then executed as a shell command, allowing attackers to inject shell metacharacters and command separators. The root cause is CWE-20 (Improper Input Validation), specifically the failure to sanitize user input before using it in a security-sensitive context. The affected product (pkg:actions/njzjz_wenxian) is a GitHub Actions workflow in the njzjz/wenxian repository, which appears to be an academic citation management tool that responds to bot commands in issue comments.
RemediationAI
Immediately update the vulnerable workflow to use environment variable indirection instead of direct expression interpolation. Replace the unsafe pattern with the recommended approach: set COMMENT_BODY as an environment variable assigned from github.event.comment.body, then reference $COMMENT_BODY within the shell script. The specific fix involves modifying the extract-identifiers step to use 'env: COMMENT_BODY: ${{ github.event.comment.body }}' and changing the run command to reference $COMMENT_BODY instead of ${{ github.event.comment.body }}. This ensures the user input is passed as data to the shell rather than evaluated as code. For the secondary usage in the output construction step, similarly pass the user login through an environment variable rather than direct interpolation. Repository owners should audit all GitHub Actions workflows for similar patterns of untrusted input usage in run commands, script arguments, or output construction. Refer to the vendor security advisory at https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88 for additional guidance. If immediate patching is not possible, disable the vulnerable workflow or restrict issue comment permissions to trusted collaborators only as a temporary workaround.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r4fj-r33x-8v88