CRITICAL🇵🇱 Wersja polska

CVE-2026-45131

CVSS 10.0v3.1pub. 2026-06-01

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens without requiring maintainer approval. This issue has been patched via commit fcf9302.

🤖 AI Analysis
How it works

The GitHub Actions workflow named pull-request.yaml was configured in a way that allowed execution of code from external fork pull requests in a privileged CI/CD environment context. An attacker could submit a crafted pull request from a forked repository, and the code would subsequently be executed automatically with access to repository secrets. This mechanism required no interaction or approval from the project maintainer, making the attack fully autonomous. The vulnerability is classified as CWE-94 (improper control of code generation), meaning inadequate control over executed external code.

Impact

An attacker gains access to sensitive repository secrets, including tokens and authentication credentials for Docker Hub, which could lead to account takeover in container registries and potential poisoning of publicly available Docker images.

Mitigation & patch

Update the repository to a version containing commit fcf930211604652aec15085895b6457bc8b73b54 or newer. The fix was introduced directly in this commit. Additionally, it is recommended to rotate all secrets and tokens (including Docker Hub credentials) stored in the repository as a precautionary measure in case the vulnerability was previously exploited.

Who is affected

CloudPirates Open Source Helm Charts in all versions preceding commit fcf9302 in the CloudPirates-io/helm-charts GitHub repository

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
CI/CDContainer
CWE
References