CVE-2026-46699: CWE-284: Improper Access Control in conda-forge conda-smithy
A vulnerability in conda-smithy prior to version 3.61.0 allowed unintended write access to feedstock repositories due to improper access control. The issue was caused by using mutable GitHub usernames for repository invitation routing instead of stable user IDs. This flaw could enable unauthorized repository modifications. The vulnerability is fixed in version 3.61.0.
AI Analysis
Technical Summary
CVE-2026-46699 describes an improper access control vulnerability (CWE-284) in conda-smithy, a tool used by conda-forge to combine conda recipes with CI configurations. Before version 3.61.0, the conda-forge automated webservices relied on mutable GitHub usernames to route repository invitations. Because GitHub usernames can be changed, this allowed an attacker who took over a GitHub username to gain unintended write access to feedstock repositories. The vulnerability is resolved by switching to stable, immutable GitHub user IDs for invitation routing in version 3.61.0.
Potential Impact
The vulnerability allows an attacker who gains control of a GitHub username to write to conda-forge feedstock repositories, potentially modifying repository contents. This could lead to integrity issues in the software supply chain. The CVSS score of 7.6 reflects a high severity with low attack complexity, no privileges required, but user interaction needed, and impacts on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade conda-smithy to version 3.61.0 or later, where the vulnerability is fixed by using immutable GitHub user IDs for invitation routing. No other mitigation is indicated. Patch status is confirmed by the vendor advisory stating the fix is in version 3.61.0.
CVE-2026-46699: CWE-284: Improper Access Control in conda-forge conda-smithy
Description
A vulnerability in conda-smithy prior to version 3.61.0 allowed unintended write access to feedstock repositories due to improper access control. The issue was caused by using mutable GitHub usernames for repository invitation routing instead of stable user IDs. This flaw could enable unauthorized repository modifications. The vulnerability is fixed in version 3.61.0.
CVSS v3.1
Score 7.6high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46699 describes an improper access control vulnerability (CWE-284) in conda-smithy, a tool used by conda-forge to combine conda recipes with CI configurations. Before version 3.61.0, the conda-forge automated webservices relied on mutable GitHub usernames to route repository invitations. Because GitHub usernames can be changed, this allowed an attacker who took over a GitHub username to gain unintended write access to feedstock repositories. The vulnerability is resolved by switching to stable, immutable GitHub user IDs for invitation routing in version 3.61.0.
Potential Impact
The vulnerability allows an attacker who gains control of a GitHub username to write to conda-forge feedstock repositories, potentially modifying repository contents. This could lead to integrity issues in the software supply chain. The CVSS score of 7.6 reflects a high severity with low attack complexity, no privileges required, but user interaction needed, and impacts on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade conda-smithy to version 3.61.0 or later, where the vulnerability is fixed by using immutable GitHub user IDs for invitation routing. No other mitigation is indicated. Patch status is confirmed by the vendor advisory stating the fix is in version 3.61.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T23:26:58.308Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a346115f198dc38c1910c61
Added to database: 6/18/2026, 9:20:21 PM
Last enriched: 6/18/2026, 9:35:08 PM
Last updated: 6/18/2026, 11:56:23 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.