CVE-2026-27938
OS Command Injection in WPGraphQL GitHub Actions Workflow
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpgraphql | wp_graphql | 2.9.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27938 is a high-severity OS command injection vulnerability in the GitHub Actions workflow of the wp-graphql/wp-graphql repository, specifically in the release.yml file.
The vulnerability occurs because the workflow directly uses the pull request (PR) body from `${{ github.event.pull_request.body }}` inside a shell `run:` block without sanitization. When a PR from the develop branch to master is merged, the PR body is injected verbatim into a shell command, allowing an attacker who controls the PR body to execute arbitrary commands on the GitHub Actions runner.
This means that malicious shell commands can be embedded in the PR body, which get executed during the workflow run, potentially compromising secrets and the repository environment.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary command execution on the GitHub Actions runner, which can compromise sensitive credentials and tokens used in the workflow.
- Attackers can exfiltrate secrets such as REPO_PAT (a Personal Access Token with full repository scope), SVN_USERNAME and SVN_PASSWORD (WordPress.org deployment credentials), and GITHUB_TOKEN (workflow-scoped write access token).
- Compromise of these credentials could allow attackers to publish backdoored versions of the WPGraphQL plugin, potentially affecting thousands of WordPress installations.
- The vulnerability has a high CVSS score of 7.7, indicating significant confidentiality and integrity impacts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability occurs in the GitHub Actions workflow of the wp-graphql/wp-graphql repository, specifically in the release.yml file, where the pull request body is injected directly into shell commands without sanitization.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability, you can review the GitHub Actions workflow files for unsafe usage of `${{ github.event.pull_request.body }}` or similar expressions directly inside `run:` shell blocks.'}, {'type': 'paragraph', 'content': "Since the vulnerability involves command injection via the PR body, monitoring GitHub Actions logs for suspicious commands or unexpected network calls (e.g., curl commands to external servers) triggered during the 'Generate release notes' step or other steps in the release.yml workflow can help detect exploitation."}, {'type': 'paragraph', 'content': 'There are no specific network or system commands provided to detect this vulnerability directly, but you can audit your GitHub Actions workflows with commands such as:'}, {'type': 'list_item', 'content': "grep -r '\\${{ github.event.pull_request.body }}' .github/workflows/"}, {'type': 'list_item', 'content': 'Review GitHub Actions run logs for suspicious shell commands or unexpected external requests.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The recommended immediate mitigation is to remove all `${{ }}` expressions from `run:` shell blocks in GitHub Actions workflows and instead pass these values as environment variables using the `env:` block.'}, {'type': 'paragraph', 'content': 'This approach safely handles dynamic data at runtime without injecting untrusted input directly into shell commands, preventing command injection.'}, {'type': 'paragraph', 'content': 'An example fix is to define environment variables for the pull request body and other dynamic inputs, then reference those variables inside the shell script, for example:'}, {'type': 'list_item', 'content': 'Use `env:` to assign `PR_BODY: ${{ github.event.pull_request.body }}`'}, {'type': 'list_item', 'content': 'In the `run:` block, use `printf "%s" "$PR_BODY" > /tmp/release-notes/pr_body.md` instead of direct interpolation.'}, {'type': 'paragraph', 'content': 'Additionally, apply the patch that modifies workflows (`release-please.yml` and `update-release-pr.yml`) to use environment variables exclusively for dynamic data and avoid direct `${{ }}` interpolation inside shell commands.'}] [1, 2]