HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45132Published Modified CNA GitHub_M

CVE-2026-45132: CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitive credentials (Personal Access Token and SSH signing key) to fork-controlled code due to unsafe checkout and credential handling practices. This issue has been patched via commit fcf9302.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unsafe credential handling vulnerability in the CloudPirates Open Source Helm Charts GitHub Actions workflow (generate-schema.yaml) exposes a Personal Access Token and an SSH signing key to code controlled by fork contributors. The vulnerability is reachable over the network without any authentication, meaning any external actor who can submit a pull request to the repository can trigger the workflow and capture the leaked secrets. Successful exploitation gives the attacker full read and write access to anything authorized by the stolen PAT and SSH key, including the ability to tamper with repository contents, packages, or downstream release artifacts. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix version is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images and pipeline artifacts, including custom-built images that bundle or reference the affected Helm charts. No manual configuration is required to gain coverage once the CVE record is live.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 10.0 Critical and weighting it against each customer environment's compliance policy to determine urgency and escalation path. Triage routing directs the finding to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available
Patch

Because no fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers publish a tagged release or reference commit that resolves the issue. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as that upstream fix lands.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the GitHub Actions workflow over the network by submitting or controlling a pull request that triggers the vulnerable workflow.

  • AuthenticationNot required

    No authentication is required; any unauthenticated or anonymous actor with the ability to open a pull request can trigger the credential leak.

  • Victim interactionNot required

    No victim interaction is needed; the workflow runs automatically on pull request events without requiring any action from a maintainer or reviewer.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

Blast Radius

  • The attacker captures the repository's Personal Access Token, gaining read and write access to every resource the token is authorized for, including code, packages, and GitHub API operations.
  • The attacker obtains the SSH signing key, allowing them to forge signed commits or tags that appear to originate from a trusted maintainer.
  • An attacker with the stolen PAT can modify release artifacts or Helm chart packages published downstream, introducing malicious content into any environment that consumes those charts.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version has been published, HarborGuard continuously monitors this advisory on every ingest cycle and will surface a patched-image rebuild the moment the maintainers land a tagged release resolving the issue. In the interim, compensating controls available to customers include network-policy isolation to restrict which pipeline agents can reach external GitHub endpoints, egress filtering to limit outbound credential exposure, and feature-flag gating to disable or quarantine images that bundle the affected chart version. For customers with auto-remediation enabled, once an upstream fix is confirmed, the full rebuild, regression-test, and PR flow will trigger automatically with no manual intervention required. Customers should also review whether any existing deployments reference the affected workflow indirectly through chart dependencies and apply policy-based blocking at the registry level until a clean build is available.

See how HarborGuard automates this
Affected packages
  • CloudPirates-io / helm-charts
    < fcf930211604652aec15085895b6457bc8b73b54
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
References