CVE-2026-46699

Source
https://cve.org/CVERecord?id=CVE-2026-46699
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46699.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46699
Aliases
  • GHSA-g95q-3cmj-fvh8
Published
2026-06-18T20:47:28.481Z
Modified
2026-07-08T08:13:48.575506507Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L CVSS Calculator
Summary
conda-smithy vulnerable to misrouted repository invitation by conda-forge-webservices[bot] due to GitHub username takeover leading to unintended write access in conda-forge feedstock repository
Details

conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.61.0, a vulnerability in the conda-forge automated webservices allowed unintended write access to feedstock repositories through GitHub username takeover. The root cause is the use of mutable GitHub usernames as identifiers for repository invitation routing, rather than stable, immutable GitHub user IDs. Version 3.61.0 fixes the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46699.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284"
    ]
}
References

Affected packages

Git / github.com/conda-forge/conda-smithy

Affected ranges

Type
GIT
Repo
https://github.com/conda-forge/conda-smithy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.61.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.2
v0.3
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.7.2
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.9.0
v0.9.1
v0.9.2
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.7.0
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.2.2
v2.3.0
v2.3.3
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v3.*
v3.0.0
v3.0.0.rc1
v3.0.0.rc2
v3.0.0rc3
v3.0.0rc4
v3.1.0
v3.1.1
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.10.0
v3.10.1
v3.10.2
v3.10.3
v3.11.0
v3.12
v3.13.0
v3.14.0
v3.14.1
v3.14.2
v3.14.3
v3.15.0
v3.15.1
v3.16.0
v3.16.1
v3.16.2
v3.17.0
v3.17.1
v3.17.2
v3.18.0
v3.19.0
v3.2.0
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.21.0
v3.21.1
v3.21.2
v3.21.3
v3.22.0
v3.22.1
v3.23.0
v3.23.1
v3.24.0
v3.24.1
v3.25.0
v3.25.1
v3.26.0
v3.26.1
v3.26.2
v3.26.3
v3.27.0
v3.27.1
v3.28.0
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.30.0
v3.30.1
v3.30.2
v3.30.3
v3.30.4
v3.31.0
v3.31.1
v3.32.0
v3.33.0
v3.34.0
v3.34.1
v3.35.0
v3.35.1
v3.36.0
v3.36.1
v3.36.2
v3.37.0
v3.37.1
v3.37.2
v3.38.0
v3.39.0
v3.39.1
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.40.0
v3.40.1
v3.41.0
v3.41.1
v3.42.0
v3.42.2
v3.43.0
v3.43.1
v3.43.2
v3.44.0
v3.44.1
v3.44.2
v3.44.3
v3.44.4
v3.44.6
v3.44.7
v3.44.8
v3.44.9
v3.45.0
v3.45.1
v3.45.2
v3.45.3
v3.45.4
v3.46.0
v3.46.1
v3.47.0
v3.47.1
v3.47.2
v3.48.0
v3.48.1
v3.5.0
v3.50.0
v3.50.1
v3.51.0
v3.51.1
v3.52.0
v3.52.1
v3.52.2
v3.52.3
v3.53.0
v3.53.1
v3.53.2
v3.53.3
v3.54.0
v3.54.1
v3.54.2
v3.55.0
v3.55.1
v3.56.0
v3.56.1
v3.56.2
v3.56.3
v3.57.0
v3.58.0
v3.58.1
v3.59.0
v3.59.1
v3.6.0
v3.6.1
v3.6.10
v3.6.11
v3.6.12
v3.6.13
v3.6.14
v3.6.15
v3.6.16
v3.6.17
v3.6.2
v3.6.3
v3.6.4
v3.6.5
v3.6.6
v3.6.7
v3.6.8
v3.6.9
v3.60.0
v3.7.0
v3.7.1
v3.7.10
v3.7.2
v3.7.3
v3.7.4
v3.7.6
v3.7.7
v3.7.8
v3.7.9
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.8.6
v3.9.0
vv3.*
vv3.10.0
vv3.14.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46699.json"