CVE-2026-35580
Received Received - Intake
Shell Injection in Emissary Workflow Dispatch Enables Supply Chain Attack

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35580
EUVD
EUVD-2026-19728
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nsa emissary From 5.10.0 (inc) to 8.38.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker with repository write access to execute arbitrary shell commands within GitHub Actions workflows, leading to repository poisoning and supply chain compromise. Such unauthorized code execution and potential credential exfiltration could result in breaches of confidentiality, integrity, and availability of data.

Given the high impact on confidentiality and integrity, organizations using affected versions of Emissary could face compliance risks with standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and secure software supply chains.

Specifically, the vulnerability could lead to unauthorized access or modification of data, potentially violating data protection requirements and increasing the risk of data breaches that must be reported under these regulations.

Executive Summary

CVE-2026-35580 is a critical shell injection vulnerability in the GitHub Actions workflows of the Emissary project, specifically affecting versions 5.10.0 through 8.38.0. The issue arises because user-controlled inputs from workflow_dispatch events are directly interpolated into shell commands using the ${{ }} expression syntax inside run blocks. This allows an attacker with repository write access to inject arbitrary shell commands.

The vulnerability occurs because the ${{ }} expressions are substituted before the shell interprets the command, so malicious inputs can break out of the intended command context and execute arbitrary code with the permissions of the job’s GITHUB_TOKEN, which has write access to repository contents and pull requests.

For example, an attacker could craft an input that injects a command to download and execute a backdoor script, leading to arbitrary code execution within the CI/CD runner environment.

Impact Analysis

This vulnerability can have severe impacts including:

  • Arbitrary code execution within the CI/CD runner environment.
  • Malicious modification of the repository via the GITHUB_TOKEN's contents: write permission, enabling repository poisoning.
  • Supply chain compromise affecting all downstream users who clone or build the repository.
  • Potential exfiltration of credentials or sensitive information from the GitHub Actions environment.
Detection Guidance

This vulnerability can be detected by inspecting the GitHub Actions workflow files in the repository for unsafe usage of user-controlled inputs within shell commands. Specifically, look for direct interpolation of workflow_dispatch inputs using the `${{ }}` expression syntax inside `run:` blocks in the following files: `.github/workflows/maven-version.yml`, `.github/workflows/cherrypick.yml`, and `.github/workflows/maven-release.yml`.

You can search for these patterns using commands like:

  • grep -n '\${{.*github.event.inputs.*}}' .github/workflows/*.yml
  • grep -n 'run:' .github/workflows/*.yml | xargs -I{} grep -A 3 '\${{.*}}' {}

Additionally, check if the repository is using a version of Emissary prior to 8.39.0, as versions 5.10.0 through 8.38.0 are vulnerable.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Emissary to version 8.39.0 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, apply the following mitigations to your GitHub Actions workflows:

  • Replace all direct `${{ inputs.* }}` interpolations in `run:` blocks with environment variable indirection by assigning inputs to environment variables at the step level (`env:`) and referencing those variables safely inside `run:` blocks.
  • Add strict input validation using regular expressions to ensure inputs conform to safe patterns before usage.
  • Set the default shell to bash in all jobs via `defaults.run.shell` to ensure consistent shell behavior.

No effective workaround exists other than upgrading or applying these code changes. Organizations that have forked Emissary should apply similar environment variable indirection and input validation patterns to their workflow files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35580. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart