CVE-2026-45131: CWE-94: Improper Control of Generation of Code ('Code Injection') in CloudPirates-io helm-charts
CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens without requiring maintainer approval. This issue has been patched via commit fcf9302.
AI Analysis
Technical Summary
CloudPirates-io's Helm charts included a GitHub Actions workflow (pull-request.yaml) that, prior to commit fcf9302, executed attacker-controlled code from fork pull requests with elevated privileges. This improper control of code generation (CWE-94) allowed exposure of repository secrets such as Docker Hub credentials and tokens without maintainer approval. The vulnerability was addressed by the patch in commit fcf9302, which prevents execution of untrusted code in this context.
Potential Impact
An attacker submitting a forked pull request could execute arbitrary code in the repository's GitHub Actions environment with privileged access. This leads to exposure of sensitive secrets including Docker Hub credentials and tokens, compromising confidentiality and integrity of the repository and associated resources. There is no reported impact on availability. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been patched by commit fcf9302. Users should update to the fixed version of the Helm charts that include this commit. Since this is not a cloud service, remediation requires users to pull the updated code. Patch status is confirmed by the vendor's commit reference. No additional mitigation is indicated.
CVE-2026-45131: CWE-94: Improper Control of Generation of Code ('Code Injection') in CloudPirates-io helm-charts
Description
CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens without requiring maintainer approval. This issue has been patched via commit fcf9302.
CVSS v3.1
Score 10.0critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CloudPirates-io's Helm charts included a GitHub Actions workflow (pull-request.yaml) that, prior to commit fcf9302, executed attacker-controlled code from fork pull requests with elevated privileges. This improper control of code generation (CWE-94) allowed exposure of repository secrets such as Docker Hub credentials and tokens without maintainer approval. The vulnerability was addressed by the patch in commit fcf9302, which prevents execution of untrusted code in this context.
Potential Impact
An attacker submitting a forked pull request could execute arbitrary code in the repository's GitHub Actions environment with privileged access. This leads to exposure of sensitive secrets including Docker Hub credentials and tokens, compromising confidentiality and integrity of the repository and associated resources. There is no reported impact on availability. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been patched by commit fcf9302. Users should update to the fixed version of the Helm charts that include this commit. Since this is not a cloud service, remediation requires users to pull the updated code. Patch status is confirmed by the vendor's commit reference. No additional mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T20:08:17.209Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1dbba3e29bf47b501c57a3
Added to database: 6/1/2026, 5:04:35 PM
Last enriched: 6/1/2026, 5:18:46 PM
Last updated: 6/2/2026, 7:21:38 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.