How is CVE-2026-44358 exploited?

Network reachability (required): The attacker submits a fork pull request over the network targeting a repository that processes pull_request_target workflows, so network-level access to the target repository's hosting service is necessary. Authentication (not-required): No authentication is required; creating a public fork and opening a pull request does not require any privileged account on the target repository. Victim interaction (required): A maintainer or CI system must trigger the pull_request_target workflow against the attacker's fork, meaning the victim's CI pipeline must process the malicious pull request. Attack complexity (info): Attack complexity is low; no race condition or special environmental state is needed, and the path substitution happens reliably whenever the workflow processes a fork checkout.

What is the impact of CVE-2026-44358?

Attacker-controlled code executes inside the GitHub Actions runner container with the permissions granted to the workflow, which may include access to repository secrets. Secrets such as tokens, API keys, and credentials exposed to the workflow environment can be read and exfiltrated by the injected code. The attacker can modify build artifacts, tamper with release pipelines, or inject malicious content into outputs produced by the CI job.

Back to search

HIGHCVE-2026-44358Published 2026-05-28Modified 2026-05-30CNA GitHub_M

CVE-2026-44358: Espressif Shared GitHub DangerJS: Untrusted Search Path in DangerJS Action Entrypoint

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action's own code. This vulnerability is fixed in 1.0.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An untrusted search path vulnerability affects Espressif Shared GitHub DangerJS, a reusable GitHub Actions CI workflow used by Espressif GitHub projects. The flaw exists in the action's entrypoint.sh, which resolves the DangerJS binary and Node.js modules from a caller-controlled workspace after copying fork content into it. A crafted fork pull request submitted against a repository using a pull_request_target workflow can substitute attacker-supplied code for the action's own code and execute it inside the action container. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images and pipeline configurations, including custom-built images that bundle or reference this GitHub Action workflow.

Available

Triage

Triage is available using the CVSS v3.1 score of 8.2 (HIGH), with per-environment compliance policy weighting to prioritize or suppress the finding based on each customer org's risk rules, and routing to the appropriate team inbox within the customer's HarborGuard workspace.

Available

Patch

Because no fix version has been published for this CVE, HarborGuard re-checks the upstream advisory on every ingest cycle. The moment Espressif publishes a patched release, a rebuilt image at that version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker submits a fork pull request over the network targeting a repository that processes pull_request_target workflows, so network-level access to the target repository's hosting service is necessary.
AuthenticationNot required
No authentication is required; creating a public fork and opening a pull request does not require any privileged account on the target repository.
Victim interactionRequired
A maintainer or CI system must trigger the pull_request_target workflow against the attacker's fork, meaning the victim's CI pipeline must process the malicious pull request.
Attack complexityDetail
Attack complexity is low; no race condition or special environmental state is needed, and the path substitution happens reliably whenever the workflow processes a fork checkout.

Blast Radius

Attacker-controlled code executes inside the GitHub Actions runner container with the permissions granted to the workflow, which may include access to repository secrets.
Secrets such as tokens, API keys, and credentials exposed to the workflow environment can be read and exfiltrated by the injected code.
The attacker can modify build artifacts, tamper with release pipelines, or inject malicious content into outputs produced by the CI job.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-44358 at this time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment Espressif publishes version 1.0.1 or later. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the meantime, compensating controls worth considering include restricting pull_request_target workflow triggers to trusted contributors only, pinning the DangerJS action reference to a known-good commit SHA rather than a mutable tag, and applying network-policy isolation to runner environments to limit the blast radius of any code execution inside the container. HarborGuard will notify affected environments automatically when the upstream fix is confirmed and a clean rebuild is ready.

See how HarborGuard automates this

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

espressif / shared-github-dangerjs
< 1.0.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

References