CVE-2026-22869

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-22869
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22869.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-22869
Aliases
  • GHSA-gvh4-93cq-5xxp
Published
2026-01-13T20:38:42.662Z
Modified
2026-03-13T04:06:45.265818Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Eigent Allows Arbitrary Code Execution via pull_request_target CI Workflow
Details

Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pullrequesttarget trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22869.json"
}
References

Affected packages

Git / github.com/eigent-ai/eigent

Affected ranges

Type
GIT
Repo
https://github.com/eigent-ai/eigent
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a96c08802542ad9dade1102dac276f3255ebe77a
Fixed
bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.0.78"
        }
    ]
}

Affected versions

v0.*
v0.0.1-test
v0.0.10-test
v0.0.11-test
v0.0.12-test
v0.0.13-test
v0.0.14-test
v0.0.15-test
v0.0.16-test
v0.0.17-test
v0.0.18-test
v0.0.19-test
v0.0.2-test
v0.0.20-test
v0.0.21-test
v0.0.22-test
v0.0.23-test
v0.0.24-test
v0.0.25-test
v0.0.26-test
v0.0.27-test
v0.0.28-test
v0.0.29-test
v0.0.3-test
v0.0.30-test
v0.0.4-test
v0.0.5-test
v0.0.51
v0.0.52
v0.0.53
v0.0.53-test
v0.0.54
v0.0.54-test
v0.0.55
v0.0.55-test
v0.0.56-test
v0.0.57
v0.0.58
v0.0.59
v0.0.6-test
v0.0.60
v0.0.61
v0.0.62
v0.0.63
v0.0.64
v0.0.65
v0.0.66
v0.0.67
v0.0.68
v0.0.7-test
v0.0.70
v0.0.71
v0.0.72
v0.0.73
v0.0.74
v0.0.75
v0.0.77
v0.0.8-test
v0.0.9-test

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22869.json"