CVE-2026-24844
Command Injection in Melange APK Builder via Unescaped Shell Variables
Publication date: 2026-02-04
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard | melange | From 0.3.0 (inc) to 0.40.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-24844 is a high-severity shell injection vulnerability in the Melange build system versions 0.3.0 to before 0.40.3. It occurs because user-supplied input values used in the pipeline's working-directory field are embedded into shell scripts without proper quote escaping. Specifically, when the pipeline uses substitutions like ${{vars.*}} or ${{inputs.*}} in the working-directory, an attacker who can provide build input values (but cannot modify pipeline definitions) can inject and execute arbitrary shell commands. This happens because the input is not properly sanitized, allowing the attacker to break out of the intended quoting context and run malicious commands on the system."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can severely impact the confidentiality and integrity of your system. An attacker with local access and low privileges, who can supply build input values, could execute arbitrary shell commands. This could lead to unauthorized access to sensitive data, modification of files, or execution of malicious code within the build environment. However, the vulnerability does not affect system availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when the Melange build system uses user-supplied inputs in the working-directory field with substitutions like ${{vars.*}} or ${{inputs.*}} without proper shell escaping, allowing arbitrary command execution.
To detect if your system is vulnerable, check the version of Melange you are running. Versions from 0.3.0 up to before 0.40.3 are affected.
You can verify the Melange version by running a command such as:
- melange --version
Additionally, inspect your build pipelines for usage of ${{vars.*}} or ${{inputs.*}} substitutions in the working-directory field, as these are the injection points.
Since the vulnerability requires local access and user interaction, monitoring build logs or shell scripts generated by Melange for suspicious unescaped shell commands or unexpected command execution may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Melange to version 0.40.3 or later, where this vulnerability has been patched.
The fix involves replacing unsafe manual escaping of user-controlled shell variables with a robust quoting mechanism using the go-shellquote library, preventing command injection.
Until you can upgrade, avoid using user-controlled inputs in the working-directory field with ${{vars.*}} or ${{inputs.*}} substitutions in your build pipelines.
Also, restrict local access to the build system to trusted users only, as exploitation requires local access with low privileges and some user interaction.