CVE-2026-41414: CWE-94: Improper Control of Generation of Code ('Code Injection') in skim-rs skim
Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
AI Analysis
Technical Summary
The vulnerability arises from the GitHub Actions workflow in skim-rs that runs code from forked pull requests without sufficient validation or gating. This allows an attacker to execute arbitrary code within the workflow environment, gaining access to sensitive tokens with write permissions. The flaw is classified as CWE-94 (Improper Control of Generation of Code). The vulnerability affects all versions prior to commit bf63404ad51985b00ed304690ba9d477860a5a75, which contains the fix. The CVSS 3.1 score is 7.4 (High), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, no confidentiality impact, high integrity impact, and no availability impact.
Potential Impact
An attacker can execute arbitrary code in the GitHub Actions environment by submitting a pull request from a forked repository. This execution has access to sensitive secrets including SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN with write permissions, potentially allowing unauthorized code changes or repository manipulation. The integrity of the project and its codebase can be compromised. There is no reported impact on confidentiality or availability. No known public exploits have been reported to date.
Mitigation Recommendations
A fix is available and implemented in commit bf63404ad51985b00ed304690ba9d477860a5a75. Users should update to this commit or later versions to remediate the vulnerability. Until patched, it is recommended to restrict or disable workflows that run untrusted code from forked pull requests or to implement proper gating controls to prevent execution of attacker-controlled code with access to sensitive secrets.
CVE-2026-41414: CWE-94: Improper Control of Generation of Code ('Code Injection') in skim-rs skim
Description
Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
CVSS v3.1
Score 7.4high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from the GitHub Actions workflow in skim-rs that runs code from forked pull requests without sufficient validation or gating. This allows an attacker to execute arbitrary code within the workflow environment, gaining access to sensitive tokens with write permissions. The flaw is classified as CWE-94 (Improper Control of Generation of Code). The vulnerability affects all versions prior to commit bf63404ad51985b00ed304690ba9d477860a5a75, which contains the fix. The CVSS 3.1 score is 7.4 (High), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, no confidentiality impact, high integrity impact, and no availability impact.
Potential Impact
An attacker can execute arbitrary code in the GitHub Actions environment by submitting a pull request from a forked repository. This execution has access to sensitive secrets including SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN with write permissions, potentially allowing unauthorized code changes or repository manipulation. The integrity of the project and its codebase can be compromised. There is no reported impact on confidentiality or availability. No known public exploits have been reported to date.
Mitigation Recommendations
A fix is available and implemented in commit bf63404ad51985b00ed304690ba9d477860a5a75. Users should update to this commit or later versions to remediate the vulnerability. Until patched, it is recommended to restrict or disable workflows that run untrusted code from forked pull requests or to implement proper gating controls to prevent execution of attacker-controlled code with access to sensitive secrets.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T15:32:33.812Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebbba787115cfb68655cc7
Added to database: 4/24/2026, 6:51:19 PM
Last enriched: 5/1/2026, 8:34:34 PM
Last updated: 6/9/2026, 2:20:06 PM
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.