CVE-2026-24844 is an OS command injection vulnerability classified under CWE-78 affecting the melange tool developed by chainguard-dev, which is used for building APK packages via declarative pipelines. Versions from 0.3.0 up to but not including 0.40.3 are vulnerable. The issue stems from improper neutralization of special shell characters in the working-directory field when the pipeline uses variable substitutions such as ${{vars.*}} or ${{inputs.*}}. These substitutions are embedded directly into shell scripts without adequate quoting or escaping, enabling an attacker who can supply build input values (but cannot alter pipeline definitions) to inject and execute arbitrary shell commands. The vulnerability requires some level of privilege (limited) and user interaction, and it affects the confidentiality and integrity of the build environment by potentially allowing unauthorized command execution. The CVSS v3.1 score is 7.8 (high), reflecting the significant impact and moderate complexity of exploitation. No known exploits in the wild have been reported as of the publication date. The issue was addressed in melange version 0.40.3 by implementing proper escaping and input validation to prevent command injection.

For European organizations, this vulnerability poses a significant risk especially to those using melange in their build pipelines for Android APK packaging. Successful exploitation could lead to unauthorized command execution within the build environment, potentially exposing sensitive build artifacts, leaking confidential information, or corrupting the integrity of software packages. This could undermine software supply chain security, leading to downstream compromise of applications distributed to end users. Organizations involved in mobile app development, software supply chain management, or those relying on automated build systems are particularly at risk. The impact is amplified in regulated industries or sectors with strict software integrity requirements, such as finance, healthcare, and critical infrastructure. Additionally, the vulnerability could be leveraged for lateral movement or persistence if the build environment is connected to broader enterprise networks.

European organizations should immediately upgrade melange to version 0.40.3 or later to apply the official patch that addresses this vulnerability. Until upgrading, organizations should avoid using untrusted or user-supplied input in the working-directory field or any shell-invoked pipeline parameters. Implement strict input validation and sanitization for all build inputs, especially those that influence shell commands or environment variables. Employ least privilege principles for build system users to limit the ability of attackers to supply malicious inputs. Monitor build logs and pipeline executions for anomalous command executions or unexpected shell activity. Consider isolating build environments using containerization or sandboxing to reduce the blast radius of potential exploitation. Finally, integrate security scanning and static analysis tools into the CI/CD pipeline to detect unsafe shell usage patterns.