Compliance Impact

This vulnerability enables remote code execution with write permissions, allowing an attacker to exfiltrate secrets, modify repository contents, or expose action secrets. Such unauthorized access and potential data exposure could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information and maintaining system integrity.

Specifically, the ability to exfiltrate secrets or modify code could result in breaches of confidentiality and integrity, core principles in these regulations. Organizations using affected versions prior to 2.1.2 should consider the risk of data exposure and unauthorized changes as a compliance concern.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-42603 is a Remote Code Execution (RCE) vulnerability in the OWASP BLT GitHub repository's workflow file `.github/workflows/pre-commit-fix.yaml`. The workflow uses the privileged `pull_request_target` trigger but executes code directly from an attacker's fork. When a pull request is labeled "fix-pre-commit," the workflow runs `pre-commit run --all-files`, executing hooks from attacker-controlled code with full write permissions via the `GITHUB_TOKEN`. This allows the attacker to run malicious code with elevated privileges.

The attack involves an attacker forking the repository, adding a malicious hook to `.pre-commit-config.yaml`, opening a pull request, and convincing a maintainer to apply the "fix-pre-commit" label, which triggers the vulnerable workflow.

This vulnerability affects versions prior to 2.1.2 and is classified under CWE-94 (Code Injection) and CWE-95 (Eval Injection). The fix is to modify the workflow to check out only the base repository code instead of the attacker's fork.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including remote code execution with write permissions in the repository. An attacker can exfiltrate secrets, modify repository contents, or expose sensitive action secrets.

Because the malicious code runs with the `GITHUB_TOKEN` permissions, it can alter the repository, potentially introducing backdoors, deleting or changing code, or leaking confidential information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the `.github/workflows/pre-commit-fix.yaml` workflow using the `pull_request_target` trigger that executes code from an attacker's fork. Detection involves inspecting the workflow files and monitoring for suspicious pull request labels such as "fix-pre-commit" that trigger the vulnerable workflow.

You can check your repository's workflow files for usage of `pull_request_target` triggers combined with code checkout from forks. For example, run commands to search for this pattern:

• grep -r 'pull_request_target' .github/workflows/
• grep -r 'checkout' .github/workflows/pre-commit-fix.yaml

Additionally, monitor pull requests labeled "fix-pre-commit" or similar, and audit any execution of `pre-commit run --all-files` triggered by such labels.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to upgrade OWASP BLT to version 2.1.2 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, modify the `.github/workflows/pre-commit-fix.yaml` workflow to avoid using the `pull_request_target` trigger to check out and execute code directly from forks. Instead, configure the workflow to check out only the base repository code.

Also, avoid labeling pull requests with "fix-pre-commit" or similar labels that trigger this workflow until the fix is applied.

Useful 0 Not Useful 0