GHSA-6p2j-742g-835f

Suggest an improvement
Source
https://github.com/advisories/GHSA-6p2j-742g-835f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6p2j-742g-835f/GHSA-6p2j-742g-835f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6p2j-742g-835f
Published
2026-04-04T06:03:06Z
Modified
2026-04-04T06:19:01.766009Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow
Details

Summary

External input from github.event.issue.title is used unsafely in a shell command in .github/workflows/release-candidate.yaml, allowing command injection during workflow execution.

Details

In .github/workflows/release-candidate.yaml, the issue title is interpolated directly into a shell command:

export VERSION=$(echo ${{ github.event.issue.title }} | sed -E 's/Release v?([0-9\.]*)/\1/g')

Because the issue title is attacker-controlled and is embedded directly into a shell command, shell metacharacters such as command substitution ($()) and command separators (;) can be interpreted by the shell.

Although the workflow checks that the title starts with Release, this condition can still be satisfied by a maliciously crafted input.

PoC

  1. Create or edit an issue with the following title:

    Release v1.2.3 $(whoami)

  2. Trigger the workflow that processes the issue.

  3. Observe that the injected command is executed on the runner.

The workflow logs show that $(whoami) is evaluated and its output (runner) appears in the command result, confirming that attacker-controlled input is executed within the shell.

<img width="633" height="380" alt="스크린샷 2026-03-27 오후 8 33 43" src="https://github.com/user-attachments/assets/90b38dab-8c53-4a13-8302-158ac5acf051" />

Impact

This vulnerability allows command injection in the GitHub Actions runner through attacker-controlled issue titles. An attacker may be able to execute arbitrary commands within the context of the affected workflow job.

Depending on the workflow configuration (such as permissions and available secrets), successful exploitation could lead to:

  • Unauthorized command execution in the CI environment
  • Misuse of the GITHUB_TOKEN
  • Modification of repository state, release artifacts, or other workflow outputs

If the repository is public and allows untrusted users to create or reopen issues that trigger the workflow, this may be exploitable by external users.

This issue is limited to the repository's internal workflow configuration and does not directly affect downstream users of the published actions-mkdocs GitHub Action.

Database specific 
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-77"
    ],
    "github_reviewed_at": "2026-04-04T06:03:06Z"
}
References

Affected packages

GitHub Actions / Tiryoh/actions-mkdocs

Package

Name
Tiryoh/actions-mkdocs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.25.0

Database specific

last_known_affected_version_range 
"<= 0.24.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6p2j-742g-835f/GHSA-6p2j-742g-835f.json"