CVE-2026-48546: Protection Mechanism Failure in lingdojo kana-dojo
KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox restrictions and achieving remote code execution with full GitHub Actions runner privileges including access to AUTOMATION_PR_TOKEN.
AI Analysis
Technical Summary
CVE-2026-48546 is a sandbox escape vulnerability in lingdojo's kana-dojo product prior to version 0.1.18. The vulnerability arises from the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context within the issue-auto-respond.yml GitHub Actions workflow. An attacker can submit a pull request that modifies the messages.cjs file to import arbitrary Node.js modules, thereby bypassing sandbox restrictions. This enables remote code execution with full privileges of the GitHub Actions runner, including access to sensitive tokens such as AUTOMATION_PR_TOKEN.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code remotely within the GitHub Actions runner environment with elevated privileges. This includes access to sensitive automation tokens (AUTOMATION_PR_TOKEN), potentially leading to unauthorized actions within the repository or broader GitHub environment. The vulnerability compromises the sandbox isolation intended to restrict code execution, resulting in a high-severity security risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid using affected versions (<0.1.18) of kana-dojo in environments where untrusted pull requests can trigger the vulnerable workflow. Restrict GitHub Actions workflows to trusted contributors and consider disabling or restricting the issue-auto-respond.yml workflow to prevent exploitation.
CVE-2026-48546: Protection Mechanism Failure in lingdojo kana-dojo
Description
KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox restrictions and achieving remote code execution with full GitHub Actions runner privileges including access to AUTOMATION_PR_TOKEN.
CVSS v4.0
Score 8.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48546 is a sandbox escape vulnerability in lingdojo's kana-dojo product prior to version 0.1.18. The vulnerability arises from the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context within the issue-auto-respond.yml GitHub Actions workflow. An attacker can submit a pull request that modifies the messages.cjs file to import arbitrary Node.js modules, thereby bypassing sandbox restrictions. This enables remote code execution with full privileges of the GitHub Actions runner, including access to sensitive tokens such as AUTOMATION_PR_TOKEN.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code remotely within the GitHub Actions runner environment with elevated privileges. This includes access to sensitive automation tokens (AUTOMATION_PR_TOKEN), potentially leading to unauthorized actions within the repository or broader GitHub environment. The vulnerability compromises the sandbox isolation intended to restrict code execution, resulting in a high-severity security risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid using affected versions (<0.1.18) of kana-dojo in environments where untrusted pull requests can trigger the vulnerable workflow. Restrict GitHub Actions workflows to trusted contributors and consider disabling or restricting the issue-auto-respond.yml workflow to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-21T18:34:46.417Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2af7a8815e7002b8172395
Added to database: 6/11/2026, 6:00:08 PM
Last enriched: 6/11/2026, 6:15:07 PM
Last updated: 6/11/2026, 7:29:15 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.