Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-24844 is a high-severity shell injection vulnerability in the Melange build system versions 0.3.0 to before 0.40.3. It occurs because user-supplied input values used in the pipeline's working-directory field are embedded into shell scripts without proper quote escaping. Specifically, when the pipeline uses substitutions like ${{vars.*}} or ${{inputs.*}} in the working-directory, an attacker who can provide build input values (but cannot modify pipeline definitions) can inject and execute arbitrary shell commands. This happens because the input is not properly sanitized, allowing the attacker to break out of the intended quoting context and run malicious commands on the system."}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can severely impact the confidentiality and integrity of your system. An attacker with local access and low privileges, who can supply build input values, could execute arbitrary shell commands. This could lead to unauthorized access to sensitive data, modification of files, or execution of malicious code within the build environment. However, the vulnerability does not affect system availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises when the Melange build system uses user-supplied inputs in the working-directory field with substitutions like ${{vars.*}} or ${{inputs.*}} without proper shell escaping, allowing arbitrary command execution.

To detect if your system is vulnerable, check the version of Melange you are running. Versions from 0.3.0 up to before 0.40.3 are affected.

You can verify the Melange version by running a command such as:

• melange --version

Additionally, inspect your build pipelines for usage of ${{vars.*}} or ${{inputs.*}} substitutions in the working-directory field, as these are the injection points.

Since the vulnerability requires local access and user interaction, monitoring build logs or shell scripts generated by Melange for suspicious unescaped shell commands or unexpected command execution may help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Melange to version 0.40.3 or later, where this vulnerability has been patched.

The fix involves replacing unsafe manual escaping of user-controlled shell variables with a robust quoting mechanism using the go-shellquote library, preventing command injection.

Until you can upgrade, avoid using user-controlled inputs in the working-directory field with ${{vars.*}} or ${{inputs.*}} substitutions in your build pipelines.

Also, restrict local access to the build system to trusted users only, as exploitation requires local access with low privileges and some user interaction.

Useful 0 Not Useful 0