Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.
AnalysisAI
Command injection in Lawnchair's GitHub Actions workflow allows authenticated repository contributors to execute arbitrary code on GitHub-hosted CI/CD runners. The vulnerability affects Lawnchair for Android versions prior to commit fcba413f5 and stems from unsanitized workflow_dispatch inputs in release_update.yml. Authenticated attackers with repository write access can inject shell commands through workflow parameters, achieving full code execution in the build environment. A patch is available (commit fcba413f5), and the CVSS vector indicates this is a network-accessible, low-complexity attack requiring low privileges. CVSS v4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact scoped to the vulnerable CI/CD system. EPSS data not provided; no CISA KEV listing at time of analysis.
Technical ContextAI
This vulnerability exploits improper neutralization of special elements used in a command (CWE-77) within GitHub Actions workflow files. GitHub Actions workflows can accept inputs via workflow_dispatch events, and when these inputs are interpolated into shell commands without sanitization, attackers can inject arbitrary shell metacharacters. The affected component is release_update.yml in the Lawnchair project (cpe:2.3:a:lawnchairlauncher:lawnchair), an open-source Android launcher application. GitHub Actions runners execute workflows in Linux containers with access to repository secrets, source code, and deployment credentials. The CVSS v4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) indicates this is remotely exploitable over the network with low attack complexity, no attack requirements beyond standard GitHub authentication, and requires low privileges (repository contributor/write access). The VC:H/VI:H/VA:H ratings reflect that successful exploitation yields complete control over the CI/CD environment, while SC:N/SI:N/SA:N indicates impact is contained to the vulnerable workflow system rather than spreading to downstream production systems. The E:P (Exploit Proof-of-Concept) metric confirms exploit code exists.
RemediationAI
Update the Lawnchair repository to commit fcba413f55dd47f8a3921445252849126c6266b2 or later, which patches the command injection vulnerability in release_update.yml. Repository maintainers should immediately merge this commit into all active branches. Review the patch at https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2 to understand the input sanitization applied. As a compensating control if immediate patching is not feasible, restrict repository write access to only highly-trusted contributors and enable branch protection rules requiring multiple approver reviews for workflow file changes (.github/workflows directory), though this only reduces attack surface and does not eliminate the vulnerability. Audit GitHub Actions workflow run history for suspicious executions of release_update.yml with unusual input parameters, checking for shell metacharacters (semicolons, backticks, pipes, dollar signs) in workflow_dispatch inputs. Rotate any secrets accessible to the affected workflow as a precautionary measure if unauthorized access is suspected. For downstream users of Lawnchair APKs, verify release signatures and checksums match official distributions to ensure build integrity was not compromised prior to the patch.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24039