CVE-2026-22869
Arbitrary Code Execution in Eigent CI Workflow via PR Injection
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eigent-ai | eigent | to 2026-01-13 (exc) |
| actions | checkout | 3 |
| actions | checkout | 4 |
| github-script | 6 | * |
| github-script | 7 | * |
| dorny | paths-filter | 2 |
| dorny | paths-filter | 3 |
| tj-actions | changed-files | 45 |
| markdownlint-cli | 0.43.0 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22869 is a critical security vulnerability in the eigent-ai project's GitHub Actions CI workflow. The issue arises because the workflow uses the `pull_request_target` event combined with checking out untrusted code from forked pull requests. This setup causes the CI to execute code from the pull request branch with write permissions and access to repository secrets. An attacker can exploit this by submitting a malicious pull request containing harmful scripts, which the CI executes, allowing arbitrary code execution. This can lead to stealing credentials, posting unauthorized comments, pushing malicious code, or creating releases. The vulnerability is due to improper handling of untrusted code in the CI workflow and was fixed by separating workflows, restricting permissions, and changing triggers to avoid executing untrusted code with elevated privileges. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized arbitrary code execution within the CI environment, theft of sensitive credentials such as the GITHUB_TOKEN, unauthorized pushing of malicious code to the repository, posting unauthorized comments on pull requests, creation of malicious releases, and exfiltration of sensitive data. It can also compromise downstream users who rely on the repository. Essentially, an attacker can fully compromise the repository's integrity and confidentiality by exploiting this flaw. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing your GitHub Actions workflows, specifically looking for usage of the `pull_request_target` event combined with checking out untrusted pull request code using `actions/checkout` with the `ref` parameter set to `${{ github.event.pull_request.head.sha }}`. To detect if your CI workflow is vulnerable, check your `.github/workflows/ci.yml` file for these patterns. Additionally, you can look for suspicious activity in your repository such as unexpected comments on PRs, unauthorized pushes, or unusual releases. There are no specific network commands provided in the resources, but auditing your GitHub Actions workflow files and monitoring repository activity are key steps. [1, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Modify your GitHub Actions workflows to avoid using the `pull_request_target` event to run untrusted code. Instead, use the `pull_request` event which runs with read-only permissions and no access to secrets. 2. Avoid checking out untrusted pull request code when using `pull_request_target`. 3. Split workflows into separate files with distinct triggers and permission scopes, for example, one workflow triggered on `pull_request_target` that does not check out code and runs with write permissions only for safe operations like commenting, and another workflow triggered on `pull_request` that checks out code with read-only permissions for linting or testing. 4. Update GitHub Actions to the latest versions (e.g., `actions/checkout@v4`, `github-script@v7`, `paths-filter@v3`). 5. Pin versions of tools like `markdownlint-cli` to prevent supply chain attacks. 6. Explicitly set workflow permissions to least privilege, such as `contents: read` to prevent write access during workflow execution. These steps prevent arbitrary code execution from forked pull requests and protect repository secrets. [1, 2, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary code in the CI workflow, leading to credential theft, unauthorized code pushes, data exfiltration, and compromise of repository secrets. Such unauthorized access and data breaches could result in non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure handling of credentials. Therefore, exploitation of this vulnerability could lead to violations of these compliance requirements due to potential data exposure and unauthorized system modifications. [1, 3, 4]