CVE-2026-27938
Received Received - Intake
OS Command Injection in WPGraphQL GitHub Actions Workflow

Publication date: 2026-02-26

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27938
EUVD
EUVD-2026-8803
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpgraphql wp_graphql 2.9.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27938 is a high-severity OS command injection vulnerability in the GitHub Actions workflow of the wp-graphql/wp-graphql repository, specifically in the release.yml file.

The vulnerability occurs because the workflow directly uses the pull request (PR) body from `${{ github.event.pull_request.body }}` inside a shell `run:` block without sanitization. When a PR from the develop branch to master is merged, the PR body is injected verbatim into a shell command, allowing an attacker who controls the PR body to execute arbitrary commands on the GitHub Actions runner.

This means that malicious shell commands can be embedded in the PR body, which get executed during the workflow run, potentially compromising secrets and the repository environment.

Impact Analysis

This vulnerability can lead to arbitrary command execution on the GitHub Actions runner, which can compromise sensitive credentials and tokens used in the workflow.

  • Attackers can exfiltrate secrets such as REPO_PAT (a Personal Access Token with full repository scope), SVN_USERNAME and SVN_PASSWORD (WordPress.org deployment credentials), and GITHUB_TOKEN (workflow-scoped write access token).
  • Compromise of these credentials could allow attackers to publish backdoored versions of the WPGraphQL plugin, potentially affecting thousands of WordPress installations.
  • The vulnerability has a high CVSS score of 7.7, indicating significant confidentiality and integrity impacts.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability occurs in the GitHub Actions workflow of the wp-graphql/wp-graphql repository, specifically in the release.yml file, where the pull request body is injected directly into shell commands without sanitization.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability, you can review the GitHub Actions workflow files for unsafe usage of `${{ github.event.pull_request.body }}` or similar expressions directly inside `run:` shell blocks.'}, {'type': 'paragraph', 'content': "Since the vulnerability involves command injection via the PR body, monitoring GitHub Actions logs for suspicious commands or unexpected network calls (e.g., curl commands to external servers) triggered during the 'Generate release notes' step or other steps in the release.yml workflow can help detect exploitation."}, {'type': 'paragraph', 'content': 'There are no specific network or system commands provided to detect this vulnerability directly, but you can audit your GitHub Actions workflows with commands such as:'}, {'type': 'list_item', 'content': "grep -r '\\${{ github.event.pull_request.body }}' .github/workflows/"}, {'type': 'list_item', 'content': 'Review GitHub Actions run logs for suspicious shell commands or unexpected external requests.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The recommended immediate mitigation is to remove all `${{ }}` expressions from `run:` shell blocks in GitHub Actions workflows and instead pass these values as environment variables using the `env:` block.'}, {'type': 'paragraph', 'content': 'This approach safely handles dynamic data at runtime without injecting untrusted input directly into shell commands, preventing command injection.'}, {'type': 'paragraph', 'content': 'An example fix is to define environment variables for the pull request body and other dynamic inputs, then reference those variables inside the shell script, for example:'}, {'type': 'list_item', 'content': 'Use `env:` to assign `PR_BODY: ${{ github.event.pull_request.body }}`'}, {'type': 'list_item', 'content': 'In the `run:` block, use `printf "%s" "$PR_BODY" > /tmp/release-notes/pr_body.md` instead of direct interpolation.'}, {'type': 'paragraph', 'content': 'Additionally, apply the patch that modifies workflows (`release-please.yml` and `update-release-pr.yml`) to use environment variables exclusively for dynamic data and avoid direct `${{ }}` interpolation inside shell commands.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart