Skip to main content

CVE-2026-34243

CRITICAL
Improper Input Validation (CWE-20)
2026-03-29 https://github.com/njzjz/wenxian GHSA-r4fj-r33x-8v88
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 29, 2026 - 16:00 vuln.today
CVE Published
Mar 29, 2026 - 15:39 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Summary

A GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner.

Details

The workflow is triggered by issue_comment, which can be controlled by external users. In the following step:

bash
echo identifiers=$(echo "${{ github.event.comment.body }}" | grep -oE '@njzjz-bot .*' | head -n1 | cut -c12- | xargs) >> $GITHUB_OUTPUT

the value of github.event.comment.body is directly interpolated into a shell command inside run:.

Since GitHub Actions evaluates ${{ }} before execution, attacker-controlled input is injected into the shell context without sanitization. This creates a command injection risk.

Additionally, the extracted value is later reused in another step that constructs output using backticks:

bash
echo '@${{ github.event.comment.user.login }} Here is the BibTeX entry for `${{ steps.extract-identifiers.outputs.identifiers }}`:'

which may further propagate unsafe content.

PoC
  1. Go to an issue in the repository
  2. Post a comment such as:

@njzjz-bot paper123" ) ; whoami ; #

  1. Observe whether the command is executed or reflected in logs/output

<img width="658" height="203" alt="poc" src="https://github.com/user-attachments/assets/084ac264-8cb9-4721-8279-26a1da9b891f" />

The injected payload successfully breaks out of the quoted context and executes arbitrary shell commands.

As shown in the workflow logs, the injected whoami command is executed, and the output (runner) is printed. This confirms that attacker-controlled input from github.event.comment.body is interpreted as shell commands.

This demonstrates a clear command injection vulnerability in the workflow.

Impact
  • Remote attackers can inject arbitrary shell commands via issue comments
  • Potential impacts:
  • Execution of arbitrary commands in GitHub Actions runner
  • Access to GITHUB_TOKEN
  • Exfiltration of repository data
  • CI/CD pipeline compromise

This issue affects all current versions of the repository as the vulnerable workflow is present in the main branch.

Suggested Fix

Avoid directly interpolating untrusted user input into shell commands.

Instead, pass github.event.comment.body through an environment variable and reference it safely within the script:

yaml
- name: Extract identifiers
  id: extract-identifiers
  env:
    COMMENT_BODY: ${{ github.event.comment.body }}
  run: |
    identifiers=$(echo "$COMMENT_BODY" | grep -oE '@njzjz-bot .*' | head -n1 | cut -c12- | xargs)
    echo "identifiers=$identifiers" >> $GITHUB_OUTPUT

AnalysisAI

Command injection in njzjz/wenxian GitHub Actions workflow allows unauthenticated remote attackers to execute arbitrary code on CI/CD runners via malicious issue comments. The workflow directly interpolates untrusted user input from issue_comment.body into shell commands without sanitization, enabling attackers to break out of command context and run arbitrary commands. Publicly available exploit code exists with working proof-of-concept demonstrating execution of injected commands. EPSS data not available, but the low attack complexity (AC:L) and unauthenticated access (PR:N) combined with confirmed POC make this a critical risk for any deployment using the vulnerable workflow.

Technical ContextAI

This vulnerability exploits GitHub Actions' expression evaluation mechanism (${{ }}) combined with unsafe shell command construction. The workflow is triggered by the issue_comment event, which processes user-controlled input from issue comments in public repositories. The vulnerability occurs because GitHub Actions evaluates template expressions before passing the resulting string to the shell, meaning the interpolation of github.event.comment.body happens outside the shell's quoting context. The resulting string is then executed as a shell command, allowing attackers to inject shell metacharacters and command separators. The root cause is CWE-20 (Improper Input Validation), specifically the failure to sanitize user input before using it in a security-sensitive context. The affected product (pkg:actions/njzjz_wenxian) is a GitHub Actions workflow in the njzjz/wenxian repository, which appears to be an academic citation management tool that responds to bot commands in issue comments.

RemediationAI

Immediately update the vulnerable workflow to use environment variable indirection instead of direct expression interpolation. Replace the unsafe pattern with the recommended approach: set COMMENT_BODY as an environment variable assigned from github.event.comment.body, then reference $COMMENT_BODY within the shell script. The specific fix involves modifying the extract-identifiers step to use 'env: COMMENT_BODY: ${{ github.event.comment.body }}' and changing the run command to reference $COMMENT_BODY instead of ${{ github.event.comment.body }}. This ensures the user input is passed as data to the shell rather than evaluated as code. For the secondary usage in the output construction step, similarly pass the user login through an environment variable rather than direct interpolation. Repository owners should audit all GitHub Actions workflows for similar patterns of untrusted input usage in run commands, script arguments, or output construction. Refer to the vendor security advisory at https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88 for additional guidance. If immediate patching is not possible, disable the vulnerable workflow or restrict issue comment permissions to trusted collaborators only as a temporary workaround.

Share

CVE-2026-34243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy