CVE-2026-45132
Deferred Deferred - Pending Action
Exposure of Sensitive Credentials in CloudPirates Helm Charts

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitive credentials (Personal Access Token and SSH signing key) to fork-controlled code due to unsafe checkout and credential handling practices. This issue has been patched via commit fcf9302.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45132
EUVD
EUVD-2026-33665
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloudpirates helm_charts to fcf9302 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CloudPirates Open Source Helm Charts involved a GitHub Actions workflow named generate-schema.yaml that exposed sensitive credentials such as a Personal Access Token (PAT) and an SSH signing key to code coming from forked repositories.

This happened because the workflow used unsafe checkout and credential handling practices, allowing malicious code in forked pull requests to access these credentials. Specifically, the PAT was stored in the Git credential store and the SSH key was written to disk early in the job, both of which could be exploited.

The issue was fixed by changing the workflow to require explicit authorization for pull requests from forks, using the default GITHUB_TOKEN instead of a PAT for checkouts in untrusted contexts, and avoiding early writes of sensitive keys to disk.

Compliance Impact

The vulnerability exposes sensitive credentials such as a Personal Access Token and an SSH signing key to untrusted fork-controlled code, which could lead to unauthorized access and modification of code repositories.

Such exposure of sensitive credentials can result in breaches of confidentiality and integrity, which are critical aspects of compliance requirements under standards like GDPR and HIPAA.

Unauthorized access enabled by this vulnerability could lead to data manipulation or leakage, potentially violating data protection regulations that mandate strict control over sensitive information.

The critical severity (CVSS 10.0) highlights the high impact on confidentiality and integrity, which are key compliance concerns in these regulations.

Impact Analysis

This vulnerability can have critical impacts because an attacker controlling a forked pull request could gain unauthorized access to sensitive credentials like the Personal Access Token and SSH signing key.

With these credentials, the attacker could perform unauthorized actions such as pushing malicious code, modifying workflows, or forging signed commits within the repository.

The CVSS score of 10.0 indicates that the vulnerability allows remote exploitation without any privileges or user interaction, severely compromising confidentiality and integrity.

Detection Guidance

This vulnerability involves exposure of sensitive credentials in GitHub Actions workflows, specifically in the generate-schema.yaml workflow file. Detection involves reviewing your GitHub Actions workflows for unsafe usage of Personal Access Tokens (PATs) in pull request contexts, especially from forked repositories.

You can detect if your workflows are vulnerable by checking if they use a PAT for checkout in pull request workflows triggered by forks, and if sensitive keys are written to disk early in the job.

Suggested commands to help detect this include:

  • Using git grep or similar to find usage of PATs in workflow files: `git grep -i 'personal_access_token' .github/workflows/`
  • Checking workflow files for unsafe checkout steps, e.g., searching for `actions/checkout` usage with PATs: `grep -r 'actions/checkout' .github/workflows/`
  • Reviewing workflow triggers to see if they run on pull requests from forks: `grep -r 'pull_request' .github/workflows/`
  • Inspecting logs of GitHub Actions runs for exposure of credentials or unexpected writes of SSH keys to disk.
Mitigation Strategies

Immediate mitigation steps include updating your GitHub Actions workflows to avoid exposing sensitive credentials to untrusted code from forks.

  • Replace usage of privileged Personal Access Tokens (PATs) with the default GITHUB_TOKEN for checkout operations in pull request workflows.
  • Restrict the use of PATs to only approved steps that require elevated permissions, avoiding their use in general checkout steps.
  • Avoid writing sensitive SSH signing keys to disk early in the workflow jobs.
  • Implement an authorization job that verifies if a pull request comes from an external fork and requires explicit re-approval before running sensitive jobs.
  • Ensure workflows trigger on appropriate events such as 'opened' and 'reopened' pull requests to control execution flow.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart