CVE-2026-45132
Exposure of Sensitive Credentials in CloudPirates Helm Charts
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cloudpirates | helm_charts | to fcf9302 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes sensitive credentials such as a Personal Access Token and an SSH signing key to untrusted fork-controlled code, which could lead to unauthorized access and modification of code repositories.
Such exposure of sensitive credentials can result in breaches of confidentiality and integrity, which are critical aspects of compliance requirements under standards like GDPR and HIPAA.
Unauthorized access enabled by this vulnerability could lead to data manipulation or leakage, potentially violating data protection regulations that mandate strict control over sensitive information.
The critical severity (CVSS 10.0) highlights the high impact on confidentiality and integrity, which are key compliance concerns in these regulations.
Can you explain this vulnerability to me?
The vulnerability in CloudPirates Open Source Helm Charts involved a GitHub Actions workflow named generate-schema.yaml that exposed sensitive credentials such as a Personal Access Token (PAT) and an SSH signing key to code coming from forked repositories.
This happened because the workflow used unsafe checkout and credential handling practices, allowing malicious code in forked pull requests to access these credentials. Specifically, the PAT was stored in the Git credential store and the SSH key was written to disk early in the job, both of which could be exploited.
The issue was fixed by changing the workflow to require explicit authorization for pull requests from forks, using the default GITHUB_TOKEN instead of a PAT for checkouts in untrusted contexts, and avoiding early writes of sensitive keys to disk.
How can this vulnerability impact me? :
This vulnerability can have critical impacts because an attacker controlling a forked pull request could gain unauthorized access to sensitive credentials like the Personal Access Token and SSH signing key.
With these credentials, the attacker could perform unauthorized actions such as pushing malicious code, modifying workflows, or forging signed commits within the repository.
The CVSS score of 10.0 indicates that the vulnerability allows remote exploitation without any privileges or user interaction, severely compromising confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves exposure of sensitive credentials in GitHub Actions workflows, specifically in the generate-schema.yaml workflow file. Detection involves reviewing your GitHub Actions workflows for unsafe usage of Personal Access Tokens (PATs) in pull request contexts, especially from forked repositories.
You can detect if your workflows are vulnerable by checking if they use a PAT for checkout in pull request workflows triggered by forks, and if sensitive keys are written to disk early in the job.
Suggested commands to help detect this include:
- Using git grep or similar to find usage of PATs in workflow files: `git grep -i 'personal_access_token' .github/workflows/`
- Checking workflow files for unsafe checkout steps, e.g., searching for `actions/checkout` usage with PATs: `grep -r 'actions/checkout' .github/workflows/`
- Reviewing workflow triggers to see if they run on pull requests from forks: `grep -r 'pull_request' .github/workflows/`
- Inspecting logs of GitHub Actions runs for exposure of credentials or unexpected writes of SSH keys to disk.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating your GitHub Actions workflows to avoid exposing sensitive credentials to untrusted code from forks.
- Replace usage of privileged Personal Access Tokens (PATs) with the default GITHUB_TOKEN for checkout operations in pull request workflows.
- Restrict the use of PATs to only approved steps that require elevated permissions, avoiding their use in general checkout steps.
- Avoid writing sensitive SSH signing keys to disk early in the workflow jobs.
- Implement an authorization job that verifies if a pull request comes from an external fork and requires explicit re-approval before running sensitive jobs.
- Ensure workflows trigger on appropriate events such as 'opened' and 'reopened' pull requests to control execution flow.