CoreShop CVE-2026-41249
HIGH
GHSA-q58j-g3f4-h26h
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Summary
The GitHub Actions workflow (.github/workflows/static.yml) uses the pull_request_target trigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull_request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability.
Steps to Reproduce:
- Fork the target repository.
- In the forked repository, modify a file that satisfies the
pathscondition (e.g.,src/dummy.phporcomposer.json) to trigger the workflow. - Modify the
bin/consolefile (which is executed in the workflow steps) with the following malicious payload:
#!/bin/bash
echo "=== PWNED ==="
echo "whoami:"
whoami- Commit the changes and open a Pull Request against the
5.0ornextbranch of the base repository. - The
Static Testsworkflow will trigger automatically. Navigate to the Actions tab and inspect the logs for theValidate YAML(or any step executingbin/console). - You will see the output of
whoami(typicallyrunner), proving that the arbitrary code was successfully executed in the runner's context.
<img width="490" height="87" alt="スクリーンショット 2026-04-14 11 14 56" src="https://github.com/user-attachments/assets/94276033-b989-46dc-b4a1-3dafa1603235" />
Impact: Because pull_request_target runs in the context of the base repository, the runner has access to repository secrets (e.g., PIMCORE_SECRET, PIMCORE_PRODUCT_KEY) loaded in the environment. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner's computing resources.
Recommended Mitigation: Do not checkout untrusted PR code (head.ref) when using pull_request_target if the code will be built or executed. Consider adopting a separated architecture using the workflow_run event:
- Use the
pull_requestevent to safely run the build/tests in an unprivileged sandbox and upload artifacts. - Use the
workflow_runevent (which is privileged) to download the artifacts and perform actions requiring secrets.
AnalysisAI
Remote code execution in CoreShop's GitHub Actions CI/CD pipeline allows unauthenticated attackers to compromise the build infrastructure and exfiltrate repository secrets by submitting a malicious pull request. The vulnerability stems from the dangerous combination of pull_request_target trigger with unverified code checkout, enabling attackers to execute arbitrary commands (bin/console) on GitHub-hosted runners with access to sensitive credentials including PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Disable pull_request_target workflows or restrict to trusted contributors only; audit GitHub Actions logs and repository secrets for unauthorized access. Within 7 days: Implement pull request approval gates requiring maintainer review before workflow execution; rotate all exposed secrets (PIMCORE_SECRET, PIMCORE_PRODUCT_KEY). …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today