CVE-2026-40316
Analyzed Analyzed - Analysis Complete
Remote Code Execution in OWASP BLT GitHub Workflow

Publication date: 2026-04-15

Last updated on: 2026-05-21

Assigner: GitHub, Inc.

Description
OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40316
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
owasp owasp_blt to 2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OWASP BLT versions prior to 2.1.1 within the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger, which runs with full GITHUB_TOKEN write permissions. It copies attacker-controlled files from untrusted pull requests into the trusted runner workspace using git show, then executes a Django command that imports model modules including the attacker-controlled website/models.py file. Because Python code in models.py is executed during import, this allows arbitrary code execution in the privileged CI environment.

An external contributor can trigger this vulnerability by opening a pull request and having a maintainer apply the regenerate-migrations label. This leads to execution of malicious code with access to repository secrets and the GITHUB_TOKEN.

Impact Analysis

This vulnerability can lead to several serious impacts including secret exfiltration, repository compromise, and supply chain attacks. Because the attacker can execute arbitrary code in the CI environment with full write permissions via GITHUB_TOKEN, they can potentially access and steal sensitive information, modify repository contents, or inject malicious code into the software supply chain.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OWASP BLT to version 2.1.1 or later, where the patch for this issue is expected to be released.

Additionally, avoid applying the regenerate-migrations label to pull requests from external contributors until the patch is applied, as this label triggers the vulnerable workflow.

Compliance Impact

This vulnerability allows arbitrary code execution in a privileged CI environment with access to repository secrets and the GITHUB_TOKEN. Such unauthorized access and potential exfiltration of sensitive information could lead to violations of data protection regulations and standards that require safeguarding of sensitive data, such as GDPR and HIPAA.

Specifically, the compromise of repository secrets and potential supply chain attacks could result in unauthorized disclosure or alteration of personal or protected health information, thereby impacting compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40316. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart