Skip to main content

Conda Smithy

1 CVEs product

Monthly

CVE-2026-46699 HIGH PATCH This Week

Unintended write access to conda-forge feedstock repositories in conda-smithy prior to 3.61.0 allows attackers who register an abandoned or relinquished GitHub username (a username takeover) to be auto-invited as a maintainer when the conda-forge webservices route repository invitations based on mutable usernames rather than immutable user IDs. The flaw maps to CWE-284 (Improper Access Control) and impacts the conda-forge package supply chain; no public exploit identified at time of analysis, but the GitHub security advisory GHSA-g95q-3cmj-fvh8 and a fix commit are public.

Authentication Bypass Conda Smithy
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Unintended write access to conda-forge feedstock repositories in conda-smithy prior to 3.61.0 allows attackers who register an abandoned or relinquished GitHub username (a username takeover) to be auto-invited as a maintainer when the conda-forge webservices route repository invitations based on mutable usernames rather than immutable user IDs. The flaw maps to CWE-284 (Improper Access Control) and impacts the conda-forge package supply chain; no public exploit identified at time of analysis, but the GitHub security advisory GHSA-g95q-3cmj-fvh8 and a fix commit are public.

Authentication Bypass Conda Smithy
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy