Skip to main content

Suse CVE-2026-35580

| EUVDEUVD-2026-19728 CRITICAL
Command Injection (CWE-77)
2026-04-07 GitHub_M GHSA-3g6g-gq4r-xjm9
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 18:07 vuln.today
cvss_changed
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 16:30 euvd
EUVD-2026-19728
Analysis Generated
Apr 07, 2026 - 16:30 vuln.today
CVE Published
Apr 07, 2026 - 15:55 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0.

AnalysisAI

Shell command injection in Emissary workflow engine below version 8.39.0 allows high-privileged attackers with repository write access to execute arbitrary commands via GitHub Actions workflow_dispatch inputs. Attackers exploit unsanitized ${{ }} expression syntax in workflow files to inject malicious shell commands, enabling repository poisoning and supply chain attacks affecting downstream users. CVSS 9.1 (Critical) with Changed scope indicates potential to compromise beyond the vulnerable component. No public exploit code or CISA KEV listing identified at time of analysis, though exploitation requires only repository write access with low attack complexity.

Technical ContextAI

Emissary is a P2P-based data-driven workflow engine developed by the National Security Agency (NSA). This vulnerability (CWE-77: Command Injection) stems from unsafe interpolation of user-controlled workflow_dispatch inputs within GitHub Actions YAML workflow files. The GitHub Actions ${{ }} expression syntax, when used to embed workflow inputs directly into shell commands without proper sanitization, creates injection points. An attacker with repository write permissions can craft malicious workflow_dispatch trigger payloads containing shell metacharacters or command sequences that execute during workflow runs. The Changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the GitHub Actions runner context, potentially compromising the CI/CD pipeline, build artifacts, or downstream systems that consume Emissary releases.

RemediationAI

Upgrade immediately to Emissary version 8.39.0 or later, which contains fixes for the shell injection vulnerability. The remediation was implemented through GitHub pull requests #1286 and #1288 available at https://github.com/NationalSecurityAgency/emissary/pull/1286 and https://github.com/NationalSecurityAgency/emissary/pull/1288. Organizations should audit all GitHub Actions workflow files for unsafe interpolation of workflow_dispatch inputs using ${{ }} syntax in shell commands and replace with properly sanitized alternatives or environment variable passing mechanisms. As an interim mitigation for environments unable to upgrade immediately, restrict repository write access to only essential trusted personnel, implement mandatory code review for all workflow file changes, and consider disabling workflow_dispatch triggers if not operationally required. Verify that no malicious commits were introduced to the repository prior to patching, as attackers with historical write access could have already poisoned the codebase.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-35580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy