EUVD-2026-36290Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR-author can trigger it over the network with no auth or UI, but must craft a run that satisfies the main-branch gate (AC:H); deploy job's privileges compromise the production site (S:C, C/I/A:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy the deploy workflow’s main branch condition, the deploy job checks out the triggering workflow commit, builds it into a Docker image, pushes it as latest, and triggers Dokploy deployment. This can allow attacker-controlled pull request code to become the deployed production site image without being merged. This issue has been patched in version 1.0.1.
Articles & Coverage 1
AnalysisAI
Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as the live production Docker image without code review or merge approval. The flaw stems from a GitHub Actions deploy workflow that can be tricked into treating an unmerged pull request build as a main-branch deployment, then checking out the PR commit, building it, pushing it as the latest Docker tag, and triggering a Dokploy deployment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the target to be running a vulnerable Duck Site repository (pre-1.0.1) whose deploy workflow uses the `workflow_run` trigger paired with a main-branch condition that can be satisfied by a PR-originated run, (2) the attacker to be able to open a pull request that triggers the build workflow - trivial on a public repo, gated by collaborator/fork-PR-approval settings on a private one, and (3) the PR build to successfully complete so the deploy workflow_run fires. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 9.5 is driven by network attack vector, low complexity, no privileges, no user interaction, and full high impact on both the vulnerable system (the CI/CD pipeline / GHCR registry) and a subsequent system (the deployed production site via Dokploy) - credible given the workflow design. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker forks the public Duck Site repository, modifies the application source to inject a backdoor or credential-stealing payload, and opens a pull request that causes the build workflow to run. Because the deploy workflow fires on the build workflow's completion and its main-branch guard can be satisfied from the PR-originated run, it then checks out the attacker's PR commit, builds it, pushes it to GHCR as `:latest`, and instructs Dokploy to roll the production site to that image - all without the PR ever being reviewed or merged. … |
| Remediation | Vendor-released patch: upgrade to Duck Site 1.0.1, which corrects the deploy workflow's gating so that pull-request-originated workflow_run events can no longer satisfy the main-branch deployment condition; the fix is described in the GitHub Security Advisory at https://github.com/duck-organization/duck-site/security/advisories/GHSA-qj93-7xrg-rvhw. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all systems running Duck Site and document their versions; disable all pull request-based automatic deployments and require manual approval for any production deployment; review and restrict GitHub Actions workflow permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in
Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote
Server-side request forgery in Crawl4AI's Docker API server (versions <= 0.8.8) allows unauthenticated remote attackers
Path traversal in Keras archive extraction utilities prior to version 3.14.0 allows remote attackers to write files outs
Share
External POC / Exploit Code
Leaving vuln.today