Black is a widely used Python code formatter that offers a GitHub Action integration to automate code formatting workflows. This GitHub Action supports an option, use_pyproject: true, which instructs it to read the Black version from the repository's pyproject.toml file. The vulnerability arises because the action does not properly validate the contents of pyproject.toml, allowing a malicious actor to craft a pull request that alters this file to specify a direct URL pointing to a malicious repository. When the GitHub Action runs, it fetches and executes code from this untrusted source, resulting in arbitrary code execution within the GitHub Actions runner environment. This execution context often has access to repository secrets and permissions, enabling attackers to exfiltrate sensitive data or perform unauthorized operations. The root cause is improper input validation (CWE-20) of user-controlled configuration data. The vulnerability affects all versions of Black prior to 26.3.0, which includes the vulnerable GitHub Action implementation. The CVSS 4.0 base score is 8.7, reflecting a high severity due to network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the potential impact is significant given the widespread use of Black and GitHub Actions in software development pipelines. The issue was publicly disclosed on March 11, 2026, and fixed in version 26.3.0.

The vulnerability enables attackers to execute arbitrary code within the GitHub Actions runner environment by manipulating the pyproject.toml file in a pull request. This can lead to unauthorized access to repository secrets such as API tokens, credentials, and deployment keys, potentially compromising the entire software supply chain. Organizations relying on automated CI/CD pipelines with Black's GitHub Action are at risk of code injection attacks that could result in data breaches, unauthorized deployments, or lateral movement within their infrastructure. The impact extends beyond confidentiality to integrity and availability, as attackers could alter code, disrupt build processes, or introduce malicious payloads. Given the ease of exploitation—no authentication or user interaction is required—and the common use of GitHub Actions globally, the threat poses a significant risk to software development organizations, open source projects, and enterprises using Black for code formatting automation.

To mitigate this vulnerability, organizations should immediately upgrade Black to version 26.3.0 or later, which includes the fix for this issue. Additionally, implement strict pull request review policies to detect and block unauthorized changes to configuration files such as pyproject.toml. Limit the scope and permissions of GitHub Actions workflows by using least privilege principles, including restricting access to secrets and using environment protection rules. Employ branch protection rules to require manual approval for pull requests that modify workflow or configuration files. Monitor GitHub Actions logs for unusual activity and consider using ephemeral runners or isolated environments to reduce the impact of potential code execution. Finally, educate developers and DevOps teams about the risks of supply chain attacks and the importance of validating third-party code and configuration changes.