CVE-2026-40316: CWE-94: Improper Control of Generation of Code ('Code Injection') in OWASP-BLT BLT
CVE-2026-40316 is a high-severity remote code execution vulnerability in OWASP BLT versions up to 2. 1. It arises from the misuse of the GitHub Actions workflow regenerate-migrations. yml, which runs with elevated permissions and imports attacker-controlled Python code during migration generation. This allows external contributors who can open pull requests and have a maintainer apply a specific label to execute arbitrary code in the CI environment, potentially leading to secret exfiltration and repository compromise. A patch is expected in version 2. 1. 1 but is not yet confirmed released.
AI Analysis
Technical Summary
OWASP BLT prior to version 2.1.1 contains an RCE vulnerability in its GitHub Actions workflow regenerate-migrations.yml. The workflow uses the pull_request_target trigger, granting full write permissions via GITHUB_TOKEN. It copies files from untrusted pull requests into the trusted runner environment and executes 'python manage.py makemigrations', which imports Django model modules including attacker-controlled code in website/models.py. This results in execution of arbitrary Python code within the privileged CI environment, enabling attackers to access repository secrets and potentially compromise the supply chain. Exploitation requires an external contributor to open a pull request and a maintainer to apply the regenerate-migrations label. No official patch or remediation is confirmed yet, but a fix is expected in version 2.1.1.
Potential Impact
Successful exploitation allows remote code execution in the CI environment with full write permissions via GITHUB_TOKEN, enabling attackers to exfiltrate secrets, compromise the repository, and conduct supply chain attacks. The vulnerability affects confidentiality, integrity, and availability of the affected system and associated repositories.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released in version 2.1.1, restrict the ability to apply the regenerate-migrations label to trusted maintainers only and review pull requests carefully before applying this label. Avoid running workflows with pull_request_target triggers that execute untrusted code. Monitor vendor channels for the official patch release.
CVE-2026-40316: CWE-94: Improper Control of Generation of Code ('Code Injection') in OWASP-BLT BLT
Description
CVE-2026-40316 is a high-severity remote code execution vulnerability in OWASP BLT versions up to 2. 1. It arises from the misuse of the GitHub Actions workflow regenerate-migrations. yml, which runs with elevated permissions and imports attacker-controlled Python code during migration generation. This allows external contributors who can open pull requests and have a maintainer apply a specific label to execute arbitrary code in the CI environment, potentially leading to secret exfiltration and repository compromise. A patch is expected in version 2. 1. 1 but is not yet confirmed released.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OWASP BLT prior to version 2.1.1 contains an RCE vulnerability in its GitHub Actions workflow regenerate-migrations.yml. The workflow uses the pull_request_target trigger, granting full write permissions via GITHUB_TOKEN. It copies files from untrusted pull requests into the trusted runner environment and executes 'python manage.py makemigrations', which imports Django model modules including attacker-controlled code in website/models.py. This results in execution of arbitrary Python code within the privileged CI environment, enabling attackers to access repository secrets and potentially compromise the supply chain. Exploitation requires an external contributor to open a pull request and a maintainer to apply the regenerate-migrations label. No official patch or remediation is confirmed yet, but a fix is expected in version 2.1.1.
Potential Impact
Successful exploitation allows remote code execution in the CI environment with full write permissions via GITHUB_TOKEN, enabling attackers to exfiltrate secrets, compromise the repository, and conduct supply chain attacks. The vulnerability affects confidentiality, integrity, and availability of the affected system and associated repositories.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released in version 2.1.1, restrict the ability to apply the regenerate-migrations label to trusted maintainers only and review pull requests carefully before applying this label. Avoid running workflows with pull_request_target triggers that execute untrusted code. Monitor vendor channels for the official patch release.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T21:41:54.505Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e018e182d89c981fa55552
Added to database: 4/15/2026, 11:01:53 PM
Last enriched: 4/15/2026, 11:16:53 PM
Last updated: 4/16/2026, 12:17:31 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.