CVE-2026-42603

Description

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

OWASP BLT < 2.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Vulnerable Workflow Concept (.github/workflows/pre-commit-fix.yaml)
name: Pre-commit Fix
on:
  pull_request_target: # Triggers with high privileges from forked PRs
jobs:
  run-fix:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout PR code
        uses: actions/checkout@v2
        with:
          # VULNERABILITY: Checking out code from the attacker's branch (pull_request.head.ref)
          # instead of the base branch. This allows executing untrusted code.
          ref: ${{ github.event.pull_request.head.sha }}
          repository: ${{ github.event.pull_request.head.repo.full_name }}
      
      - name: Execute Script
        run: |
          # The attacker can modify this script in their fork to run arbitrary commands
          chmod +x .github/scripts/fix.sh
          .github/scripts/fix.sh

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42603
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42603
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42603/
[4] VulDB https://vuldb.com/cve/CVE-2026-42603
[5] https://github.com/OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh
[6] https://github.com/OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42603", "sourceIdentifier": "[email protected]", "published": "2026-05-11T17:16:33.410", "lastModified": "2026-05-11T18:16:35.887", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-95"}]}], "references": [{"url": "https://github.com/OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh", "source": "[email protected]"}, {"url": "https://github.com/OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}