CVE-2026-40316— OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow

OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

OWASP BLT 安全漏洞

OWASP BLT是OWASP BLT开源的一个游戏化众包测试与漏洞披露平台。 OWASP BLT 2.1.1之前版本存在安全漏洞，该漏洞源于.github/workflows/regenerate-migrations.yml工作流存在远程代码执行问题，可能导致任意代码执行。

N/A

N/A