Skip to main content

OWASP BLT EUVDEUVD-2026-29126

| CVE-2026-42603 HIGH
Code Injection (CWE-94)
2026-05-11 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 11, 2026 - 18:17 EUVD
Analysis Generated
May 11, 2026 - 16:47 vuln.today
CVE Published
May 11, 2026 - 16:11 nvd
HIGH 8.8

DescriptionGitHub Advisory

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2.

AnalysisAI

Remote code execution in OWASP BLT versions prior to 2.1.2 enables attackers to execute arbitrary code with repository write permissions via malicious GitHub pull requests. The vulnerability exploits a GitHub Actions workflow misconfiguration where pull_request_target triggers execute code directly from attacker-controlled forks without proper validation. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly disclosed via GitHub Security Advisory GHSA-cgvj-qg2h-cqfh.

Technical ContextAI

This is a GitHub Actions workflow security misconfiguration (CWE-94: Improper Control of Generation of Code). The affected .github/workflows/pre-commit-fix.yaml workflow uses the pull_request_target trigger, which runs in the context of the base repository with access to repository secrets and write permissions. Unlike pull_request triggers that run in an isolated fork context, pull_request_target has privileged access. When this privileged workflow checks out and executes code directly from an attacker's pull request fork without validation, it creates a code injection vector. The attacker controls the code being executed in the privileged context, enabling arbitrary command execution with the workflow's permissions, including repository write access, secret access, and ability to modify GitHub releases, issues, and source code.

RemediationAI

Upgrade OWASP BLT to version 2.1.2 or later, which contains the vendor-released patch fixing the workflow misconfiguration. The fix modifies .github/workflows/pre-commit-fix.yaml to properly isolate pull request code execution from privileged contexts. Organizations unable to immediately upgrade should implement compensating controls: disable the pre-commit-fix.yaml workflow entirely by removing or renaming the file, manually review all pull requests for suspicious workflow modifications before merging, restrict repository write access to trusted maintainers only (reducing UI:R attack surface), and enable GitHub branch protection rules requiring approval from code owners before workflow execution. Note that disabling the workflow removes automated pre-commit fixing functionality, requiring manual code quality checks. Review GitHub Actions audit logs for any suspicious workflow executions from external contributors since initial deployment. Advisory and patch details: https://github.com/OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh.

Share

EUVD-2026-29126 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy