CVE-2026-47174: CWE-829: Inclusion of Functionality from Untrusted Control Sphere in duck-organization duck-site
In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy the deploy workflow’s main branch condition, the deploy job checks out the triggering workflow commit, builds it into a Docker image, pushes it as latest, and triggers Dokploy deployment. This can allow attacker-controlled pull request code to become the deployed production site image without being merged. This issue has been patched in version 1.0.1.
AI Analysis
Technical Summary
The vulnerability in Duck Site prior to version 1.0.1 arises from a deployment workflow that runs after the build workflow. The build workflow runs on pull requests, while the deploy workflow, which requires package-write permissions and deployment secrets, runs on the main branch. If an attacker can manipulate a pull request build to satisfy the deploy workflow’s main branch condition, the deploy job will check out the triggering commit, build it into a Docker image, push it as latest, and trigger deployment. This allows attacker-controlled pull request code to be deployed as the production site image without being merged. The vulnerability is identified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) and has a CVSS 4.0 score of 9.5, indicating critical severity. The issue has been fixed in Duck Site version 1.0.1.
Potential Impact
An attacker can cause unmerged, attacker-controlled code from a pull request to be deployed to production, potentially compromising the integrity and security of the production environment. This could lead to unauthorized code execution, data compromise, or service disruption. The vulnerability is critical due to the high privileges of the deploy workflow and the ability to bypass normal code review and merge controls.
Mitigation Recommendations
A fix is available in Duck Site version 1.0.1. Users should upgrade to version 1.0.1 or later to remediate this vulnerability. No other mitigation steps are indicated by the vendor advisory.
CVE-2026-47174: CWE-829: Inclusion of Functionality from Untrusted Control Sphere in duck-organization duck-site
Description
In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy the deploy workflow’s main branch condition, the deploy job checks out the triggering workflow commit, builds it into a Docker image, pushes it as latest, and triggers Dokploy deployment. This can allow attacker-controlled pull request code to become the deployed production site image without being merged. This issue has been patched in version 1.0.1.
CVSS v4.0
Score 9.5critical
Affected software
pkg:github/duck-organization/duck-siteRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Duck Site prior to version 1.0.1 arises from a deployment workflow that runs after the build workflow. The build workflow runs on pull requests, while the deploy workflow, which requires package-write permissions and deployment secrets, runs on the main branch. If an attacker can manipulate a pull request build to satisfy the deploy workflow’s main branch condition, the deploy job will check out the triggering commit, build it into a Docker image, push it as latest, and trigger deployment. This allows attacker-controlled pull request code to be deployed as the production site image without being merged. The vulnerability is identified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) and has a CVSS 4.0 score of 9.5, indicating critical severity. The issue has been fixed in Duck Site version 1.0.1.
Potential Impact
An attacker can cause unmerged, attacker-controlled code from a pull request to be deployed to production, potentially compromising the integrity and security of the production environment. This could lead to unauthorized code execution, data compromise, or service disruption. The vulnerability is critical due to the high privileges of the deploy workflow and the ability to bypass normal code review and merge controls.
Mitigation Recommendations
A fix is available in Duck Site version 1.0.1. Users should upgrade to version 1.0.1 or later to remediate this vulnerability. No other mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T21:25:34.497Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2b05d1815e7002b81ea66e
Added to database: 6/11/2026, 7:00:33 PM
Last enriched: 6/11/2026, 7:15:12 PM
Last updated: 6/12/2026, 3:15:06 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.