CVE-2026-35580
Shell Injection in Emissary Workflow Dispatch Enables Supply Chain Attack
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nsa | emissary | From 5.10.0 (inc) to 8.38.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35580 is a critical shell injection vulnerability in the GitHub Actions workflows of the Emissary project, specifically affecting versions 5.10.0 through 8.38.0. The issue arises because user-controlled inputs from workflow_dispatch events are directly interpolated into shell commands using the ${{ }} expression syntax inside run blocks. This allows an attacker with repository write access to inject arbitrary shell commands.
The vulnerability occurs because the ${{ }} expressions are substituted before the shell interprets the command, so malicious inputs can break out of the intended command context and execute arbitrary code with the permissions of the jobβs GITHUB_TOKEN, which has write access to repository contents and pull requests.
For example, an attacker could craft an input that injects a command to download and execute a backdoor script, leading to arbitrary code execution within the CI/CD runner environment.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Arbitrary code execution within the CI/CD runner environment.
- Malicious modification of the repository via the GITHUB_TOKEN's contents: write permission, enabling repository poisoning.
- Supply chain compromise affecting all downstream users who clone or build the repository.
- Potential exfiltration of credentials or sensitive information from the GitHub Actions environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the GitHub Actions workflow files in the repository for unsafe usage of user-controlled inputs within shell commands. Specifically, look for direct interpolation of workflow_dispatch inputs using the `${{ }}` expression syntax inside `run:` blocks in the following files: `.github/workflows/maven-version.yml`, `.github/workflows/cherrypick.yml`, and `.github/workflows/maven-release.yml`.
You can search for these patterns using commands like:
- grep -n '\${{.*github.event.inputs.*}}' .github/workflows/*.yml
- grep -n 'run:' .github/workflows/*.yml | xargs -I{} grep -A 3 '\${{.*}}' {}
Additionally, check if the repository is using a version of Emissary prior to 8.39.0, as versions 5.10.0 through 8.38.0 are vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Emissary to version 8.39.0 or later, where this vulnerability has been fixed.
If upgrading is not immediately possible, apply the following mitigations to your GitHub Actions workflows:
- Replace all direct `${{ inputs.* }}` interpolations in `run:` blocks with environment variable indirection by assigning inputs to environment variables at the step level (`env:`) and referencing those variables safely inside `run:` blocks.
- Add strict input validation using regular expressions to ensure inputs conform to safe patterns before usage.
- Set the default shell to bash in all jobs via `defaults.run.shell` to ensure consistent shell behavior.
No effective workaround exists other than upgrading or applying these code changes. Organizations that have forked Emissary should apply similar environment variable indirection and input validation patterns to their workflow files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with repository write access to execute arbitrary shell commands within GitHub Actions workflows, leading to repository poisoning and supply chain compromise. Such unauthorized code execution and potential credential exfiltration could result in breaches of confidentiality, integrity, and availability of data.
Given the high impact on confidentiality and integrity, organizations using affected versions of Emissary could face compliance risks with standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and secure software supply chains.
Specifically, the vulnerability could lead to unauthorized access or modification of data, potentially violating data protection requirements and increasing the risk of data breaches that must be reported under these regulations.