HighPublic exploit

GitHub Actions pull_request_target RCE in OWASP BLT pre-commit-fix workflow

IdentifiersCVE-2026-42603CWE-94· Improper Control of Generation of…

CVE-2026-42603 affects OWASP BLT versions prior to 2.1.2. The vulnerable component is the GitHub Actions workflow file .github/workflows/pre-commit-fix.yaml, which uses the privileged pull_request_target event and then checks out and executes code from an attacker's forked pull request. Because pull_request_target runs in the security context of the target repository, this workflow design allows untrusted attacker-controlled code to execute with elevated repository permissions. The issue can result in remote code execution within the GitHub Actions runner and access to the repository's write-capable workflow token or other secrets available to that job. The issue was fixed in version 2.1.2.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker submitting a malicious pull request from a fork to achieve code execution in the privileged GitHub Actions context associated with the target repository. Because the workflow runs with write permissions, the attacker may be able to modify repository contents, tamper with workflows, create or alter commits, tags, releases, or pull requests, and potentially access or misuse secrets exposed to the job. This can lead to compromise of source integrity, CI/CD pipeline abuse, and broader downstream supply-chain impact.

Mitigation

If you can’t patch tonight, do this now.

Until patched, disable or restrict the affected .github/workflows/pre-commit-fix.yaml workflow, especially for fork-originated pull requests. Avoid using pull_request_target for workflows that execute PR code; prefer pull_request for untrusted code paths. Reduce GITHUB_TOKEN permissions to least privilege, disable write permissions where not required, prevent secrets from being exposed to jobs processing untrusted contributions, and require maintainer review before running workflows on external pull requests.

Remediation

Patch, then assume compromise.

Upgrade OWASP BLT to version 2.1.2 or later, where the vulnerable workflow behavior has been fixed. In general, workflows triggered by pull_request_target should not check out, build, or execute code from the untrusted head of a forked pull request. If privileged automation is required, separate untrusted validation from privileged post-processing, and ensure any privileged job operates only on trusted repository content.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

May 11, 2026

CVE-2026-42603 - OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target

A remote code execution vulnerability in OWASP BLT's GitHub Actions workflow configuration, where a privileged pull_request_target workflow executes attacker-controlled fork code with write permissions.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-42603

NVD

nvd.nist.gov/vuln/detail/CVE-2026-42603

MITRE CWE · CWE-94

Improper Control of Generation of Code ('Code…

github.com

github.com/OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh