Skip to main content

Google EUVDEUVD-2026-24039

| CVE-2026-39866 HIGH
Command Injection (CWE-77)
2026-04-21 GitHub_M
7.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 04:28 vuln.today
CVSS changed
Apr 21, 2026 - 02:22 NVD
7.4 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 02:00 euvd
EUVD-2026-24039
Analysis Generated
Apr 21, 2026 - 02:00 vuln.today
CVE Published
Apr 21, 2026 - 01:19 nvd
HIGH 7.4

DescriptionGitHub Advisory

Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.

AnalysisAI

Command injection in Lawnchair's GitHub Actions workflow allows authenticated repository contributors to execute arbitrary code on GitHub-hosted CI/CD runners. The vulnerability affects Lawnchair for Android versions prior to commit fcba413f5 and stems from unsanitized workflow_dispatch inputs in release_update.yml. Authenticated attackers with repository write access can inject shell commands through workflow parameters, achieving full code execution in the build environment. A patch is available (commit fcba413f5), and the CVSS vector indicates this is a network-accessible, low-complexity attack requiring low privileges. CVSS v4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact scoped to the vulnerable CI/CD system. EPSS data not provided; no CISA KEV listing at time of analysis.

Technical ContextAI

This vulnerability exploits improper neutralization of special elements used in a command (CWE-77) within GitHub Actions workflow files. GitHub Actions workflows can accept inputs via workflow_dispatch events, and when these inputs are interpolated into shell commands without sanitization, attackers can inject arbitrary shell metacharacters. The affected component is release_update.yml in the Lawnchair project (cpe:2.3:a:lawnchairlauncher:lawnchair), an open-source Android launcher application. GitHub Actions runners execute workflows in Linux containers with access to repository secrets, source code, and deployment credentials. The CVSS v4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) indicates this is remotely exploitable over the network with low attack complexity, no attack requirements beyond standard GitHub authentication, and requires low privileges (repository contributor/write access). The VC:H/VI:H/VA:H ratings reflect that successful exploitation yields complete control over the CI/CD environment, while SC:N/SI:N/SA:N indicates impact is contained to the vulnerable workflow system rather than spreading to downstream production systems. The E:P (Exploit Proof-of-Concept) metric confirms exploit code exists.

RemediationAI

Update the Lawnchair repository to commit fcba413f55dd47f8a3921445252849126c6266b2 or later, which patches the command injection vulnerability in release_update.yml. Repository maintainers should immediately merge this commit into all active branches. Review the patch at https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2 to understand the input sanitization applied. As a compensating control if immediate patching is not feasible, restrict repository write access to only highly-trusted contributors and enable branch protection rules requiring multiple approver reviews for workflow file changes (.github/workflows directory), though this only reduces attack surface and does not eliminate the vulnerability. Audit GitHub Actions workflow run history for suspicious executions of release_update.yml with unusual input parameters, checking for shell metacharacters (semicolons, backticks, pipes, dollar signs) in workflow_dispatch inputs. Rotate any secrets accessible to the affected workflow as a precautionary measure if unauthorized access is suspected. For downstream users of Lawnchair APKs, verify release signatures and checksums match official distributions to ensure build integrity was not compromised prior to the patch.

Share

EUVD-2026-24039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy