CVE-2026-55576
Received Received - Intake

MaaAssistantArknights Command Injection via PR Title

Vulnerability report for CVE-2026-55576, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

MaaAssistantArknights is a one-click tool for daily Arknights tasks. In the current dev-v2 workflow, .github/workflows/release-preparation.yml inlined attacker-controlled github.event.pull_request.title into a run: shell command during the pull_request opened, reopened, and ready_for_review events, so a non-draft fork PR whose title starts with Release v could execute shell commands on the ubuntu-latest runner during the generate-changelog job. This vulnerability is fixed by commit cafc3946059e6337d2089d4fec8b6885ba17c332.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in MaaAssistantArknights, a tool for Arknights tasks. It allows attackers to execute shell commands on the ubuntu-latest runner by crafting a pull request title starting with 'Release v' during specific GitHub events. The issue occurs because the workflow file inlines the PR title into a shell command without proper sanitization.

Impact Analysis

If you use MaaAssistantArknights, an attacker could potentially run arbitrary shell commands on your system by submitting a specially crafted pull request. This could lead to data theft, system compromise, or further attacks depending on the permissions of the runner.

Compliance Impact

This vulnerability could lead to unauthorized code execution, potentially violating data protection requirements under GDPR or HIPAA if sensitive data is exposed or modified. Compliance may be impacted if the tool processes regulated data without proper safeguards.

Detection Guidance

This vulnerability is specific to the MaaAssistantArknights GitHub Actions workflow. To detect it, check if your repository uses the vulnerable workflow file .github/workflows/release-preparation.yml and if it contains shell commands that use github.event.pull_request.title without proper sanitization. Review the workflow for any instances where attacker-controlled PR titles could execute commands.

Mitigation Strategies

Update to the fixed commit cafc3946059e6337d2089d4fec8b6885ba17c332. Remove or sanitize any use of github.event.pull_request.title in shell commands within the workflow. Avoid using untrusted input in command execution contexts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55576. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart