PT-2026-40973 · Packagist · Coreshop/Core-Shop

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2026-41249

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

The GitHub Actions workflow (.github/workflows/static.yml) uses the pull request target trigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability.
Steps to Reproduce:
  1. Fork the target repository.
  2. In the forked repository, modify a file that satisfies the paths condition (e.g., src/dummy.php or composer.json) to trigger the workflow.
  3. Modify the bin/console file (which is executed in the workflow steps) with the following malicious payload:
#!/bin/bash
echo "=== PWNED ==="
echo "whoami:"
whoami
  1. Commit the changes and open a Pull Request against the 5.0 or next branch of the base repository.
  2. The Static Tests workflow will trigger automatically. Navigate to the Actions tab and inspect the logs for the Validate YAML (or any step executing bin/console).
  3. You will see the output of whoami (typically runner), proving that the arbitrary code was successfully executed in the runner's context.
スクリーンショット 2026-04-14 11 14 56
Impact: Because pull request target runs in the context of the base repository, the runner has access to repository secrets (e.g., PIMCORE SECRET, PIMCORE PRODUCT KEY) loaded in the environment. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner's computing resources.
Recommended Mitigation: Do not checkout untrusted PR code (head.ref) when using pull request target if the code will be built or executed. Consider adopting a separated architecture using the workflow run event:
  1. Use the pull request event to safely run the build/tests in an unprivileged sandbox and upload artifacts.
  2. Use the workflow run event (which is privileged) to download the artifacts and perform actions requiring secrets.

Fix

Code Injection

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2026-41249
GHSA-Q58J-G3F4-H26H

Affected Products

Coreshop/Core-Shop