melange pipeline working-directory could allow command injection_CVE-2026-24844

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Description

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.

Basic Information

ID CVE-2026-24844

Source GitHub_M

Published Feb 4, 2026 at 19:31

Affected Product

Vendor chainguard-dev

Product melange

Version >= 0.3.0, < 0.40.3

Affected Versions chainguard-dev melange >= 0.3.0, < 0.40.3

CWE Classification

CWE-78

References

{
    "lastseen": "",
    "description": "melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.",
    "published": "2026-02-04T19:31:55.830Z",
    "modified": "2026-02-04T19:31:55.830Z",
    "type": "cve",
    "title": "melange pipeline working-directory could allow command injection",
    "source": "GitHub_M",
    "references": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2\nhttps://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8",
    "id": "CVE-2026-24844",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "chainguard-dev melange >= 0.3.0, < 0.40.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "melange",
    "version": ">= 0.3.0, < 0.40.3",
    "vendor": "chainguard-dev",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}