How is CVE-2026-48546 exploited?

Network reachability (required): The attacker must reach the GitHub Actions workflow over the network by submitting a pull request to the target repository; the vulnerable code path is triggered remotely through standard VCS interaction. Authentication (required): The attacker must hold a GitHub account with permission to submit a pull request, meaning any low-privilege contributor account is sufficient to trigger the vulnerable workflow. Victim interaction (required): A repository maintainer or automated process must evaluate or approve the pull request, making victim interaction a prerequisite for the malicious messages.cjs payload to execute. Attack complexity (info): Attack complexity is low: no race conditions or special environmental conditions are required; the exploit path is straightforward and reliably reproducible once a pull request is accepted into the workflow.

What is the impact of CVE-2026-48546?

The attacker reads secrets available to the GitHub Actions runner, including the AUTOMATION_PR_TOKEN, which can be used to authenticate as an automated identity against the repository and any systems it has access to. The attacker executes arbitrary code with full GitHub Actions runner privileges, enabling modification of repository contents, CI pipeline artifacts, or downstream deployment targets. Arbitrary Node.js modules can be imported and executed, allowing the attacker to exfiltrate environment variables, credentials, and any files accessible to the runner process.

Back to search

HIGHCVE-2026-48546Published 2026-06-11Modified 2026-06-11CNA VulnCheck

CVE-2026-48546: KanaDojo < 0.1.18 Sandbox Escape RCE via messages.cjs

Q: What is CVE-2026-48546?

A sandbox escape vulnerability in KanaDojo before 0.1.18 allows a network-accessible attacker with a low-privilege account to execute arbitrary code by exploiting the explicit passing of Node.js's global require function into a vm.runInNewContext() sandbox in the issue-auto-respond.yml GitHub Actions workflow. The attacker submits a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox isolation entirely. Successful exploitation grants full GitHub Actions runner privileges, including access to the AUTOMATION_PR_TOKEN secret. A patched-image rebuild at version 0.1.18 is available on HarborGuard for affected environments.

Q: How is CVE-2026-48546 fixed?

A patched-image rebuild at KanaDojo 0.1.18 becomes available on HarborGuard the moment the fix version is confirmed against a customer's affected image set. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox restrictions and achieving remote code execution with full GitHub Actions runner privileges including access to AUTOMATION_PR_TOKEN.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: 0.1.18
Affected Products: 1

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability in KanaDojo before 0.1.18 allows a network-accessible attacker with a low-privilege account to execute arbitrary code by exploiting the explicit passing of Node.js's global require function into a vm.runInNewContext() sandbox in the issue-auto-respond.yml GitHub Actions workflow. The attacker submits a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox isolation entirely. Successful exploitation grants full GitHub Actions runner privileges, including access to the AUTOMATION_PR_TOKEN secret. A patched-image rebuild at version 0.1.18 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-48546 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from lingdojo/kana-dojo. Scans run continuously across both registry snapshots and active CI pipeline stages, so newly pushed images are evaluated without manual intervention.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency and routing. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at KanaDojo 0.1.18 becomes available on HarborGuard the moment the fix version is confirmed against a customer's affected image set. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the GitHub Actions workflow over the network by submitting a pull request to the target repository; the vulnerable code path is triggered remotely through standard VCS interaction.
AuthenticationRequired
The attacker must hold a GitHub account with permission to submit a pull request, meaning any low-privilege contributor account is sufficient to trigger the vulnerable workflow.
Victim interactionRequired
A repository maintainer or automated process must evaluate or approve the pull request, making victim interaction a prerequisite for the malicious messages.cjs payload to execute.
Attack complexityDetail
Attack complexity is low: no race conditions or special environmental conditions are required; the exploit path is straightforward and reliably reproducible once a pull request is accepted into the workflow.

Blast Radius

The attacker reads secrets available to the GitHub Actions runner, including the AUTOMATION_PR_TOKEN, which can be used to authenticate as an automated identity against the repository and any systems it has access to.
The attacker executes arbitrary code with full GitHub Actions runner privileges, enabling modification of repository contents, CI pipeline artifacts, or downstream deployment targets.
Arbitrary Node.js modules can be imported and executed, allowing the attacker to exfiltrate environment variables, credentials, and any files accessible to the runner process.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48546 is active the moment the advisory is ingested, matching any image that packages a pre-0.1.18 version of lingdojo/kana-dojo. For customers running an affected version, a patched-image rebuild at 0.1.18 is available immediately upon scan confirmation. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image at the fixed version, execute the regression test suite, and open a pull request against affected workloads automatically; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will see the finding routed to the appropriate team inbox with CVSS 8.5 scoring and policy-weighted priority attached. Given the severity of CI pipeline secret exposure, security teams are advised to treat this as a high-priority remediation regardless of auto-remediation status.

See how HarborGuard automates this

Fix available

0.1.18

Patch commits

github.com

Affected packages

lingdojo / kana-dojo
< 0.1.18 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available