CVE-2026-29050

Name of the Vulnerable Software and Affected Versions melange versions 0.32.0 through 0.43.3

Description An attacker capable of influencing a configuration file, such as in build-as-a-service or pull-request-driven CI scenarios, can manipulate the pipeline[].uses variable to include absolute paths or ../ sequences. The compilePipeline() function in pkg/build/compile.go fails to validate this variable before passing it to filepath.Join(), allowing the process to read arbitrary YAML-parseable files outside the designated pipeline directory. Since the loaded file is interpreted as a pipeline and its runs: block is executed via /bin/sh -c within the build sandbox, this enables the execution of unauthorized shell commands from out-of-tree files, bypassing standard review boundaries.

Recommendations Update to version 0.43.4. Only run melange build against configuration files from trusted sources. In CI systems processing user-supplied configurations, implement manual review of pipeline[].uses values and reject any containing .. or leading /.