CVE-2026-41414: CWE-94: Improper Control of Generation of Code ('Code Injection') in skim-rs skim
Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
AI Analysis
Technical Summary
The skim-rs project contained a code injection vulnerability (CWE-94) in its GitHub Actions workflow file .github/workflows/pr.yml. The generate-files job executes code from forks submitted as pull requests without proper validation or gating, allowing arbitrary code execution with access to sensitive secrets such as SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (with contents:write scope). This enables attackers to run malicious code in the CI environment. The issue affects versions prior to commit bf63404ad51985b00ed304690ba9d477860a5a75, where the vulnerability was fixed.
Potential Impact
An attacker can execute arbitrary code in the continuous integration environment by submitting a pull request from a forked repository. This execution has access to sensitive secrets including SKIM_RS_BOT_PRIVATE_KEY and a GitHub token with write permissions to repository contents, potentially allowing unauthorized code changes or secret exfiltration. The vulnerability has a CVSS 3.1 score of 7.4 (high severity), indicating a significant risk of code injection and integrity compromise.
Mitigation Recommendations
This vulnerability is fixed in commit bf63404ad51985b00ed304690ba9d477860a5a75. Users should update to this commit or a later version that includes the fix. Since no official remediation level is provided beyond this fix, applying the patch is the recommended action. Until patched, avoid running workflows that execute code from untrusted forks or restrict secret access in GitHub Actions workflows triggered by pull requests from forks.
CVE-2026-41414: CWE-94: Improper Control of Generation of Code ('Code Injection') in skim-rs skim
Description
Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The skim-rs project contained a code injection vulnerability (CWE-94) in its GitHub Actions workflow file .github/workflows/pr.yml. The generate-files job executes code from forks submitted as pull requests without proper validation or gating, allowing arbitrary code execution with access to sensitive secrets such as SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (with contents:write scope). This enables attackers to run malicious code in the CI environment. The issue affects versions prior to commit bf63404ad51985b00ed304690ba9d477860a5a75, where the vulnerability was fixed.
Potential Impact
An attacker can execute arbitrary code in the continuous integration environment by submitting a pull request from a forked repository. This execution has access to sensitive secrets including SKIM_RS_BOT_PRIVATE_KEY and a GitHub token with write permissions to repository contents, potentially allowing unauthorized code changes or secret exfiltration. The vulnerability has a CVSS 3.1 score of 7.4 (high severity), indicating a significant risk of code injection and integrity compromise.
Mitigation Recommendations
This vulnerability is fixed in commit bf63404ad51985b00ed304690ba9d477860a5a75. Users should update to this commit or a later version that includes the fix. Since no official remediation level is provided beyond this fix, applying the patch is the recommended action. Until patched, avoid running workflows that execute code from untrusted forks or restrict secret access in GitHub Actions workflows triggered by pull requests from forks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T15:32:33.812Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebbba787115cfb68655cc7
Added to database: 4/24/2026, 6:51:19 PM
Last enriched: 4/24/2026, 7:06:56 PM
Last updated: 4/25/2026, 5:46:32 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.