OWASP BLT prior to version 2.1.1 contains an RCE vulnerability in its GitHub Actions workflow regenerate-migrations.yml. The workflow uses the pull_request_target trigger, granting full write permissions via GITHUB_TOKEN. It copies files from untrusted pull requests into the trusted runner environment and executes 'python manage.py makemigrations', which imports Django model modules including attacker-controlled code in website/models.py. This results in execution of arbitrary Python code within the privileged CI environment, enabling attackers to access repository secrets and potentially compromise the supply chain. Exploitation requires an external contributor to open a pull request and a maintainer to apply the regenerate-migrations label. No official patch or remediation is confirmed yet, but a fix is expected in version 2.1.1.

Successful exploitation allows remote code execution in the CI environment with full write permissions via GITHUB_TOKEN, enabling attackers to exfiltrate secrets, compromise the repository, and conduct supply chain attacks. The vulnerability affects confidentiality, integrity, and availability of the affected system and associated repositories.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released in version 2.1.1, restrict the ability to apply the regenerate-migrations label to trusted maintainers only and review pull requests carefully before applying this label. Avoid running workflows with pull_request_target triggers that execute untrusted code. Monitor vendor channels for the official patch release.