CVE 8.8 HIGH

OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow_CVE-2026-40316

April 15, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.

AI Analysis

Remote Code Execution (RCE) vulnerability in OWASP BLT via untrusted Django model execution in workflow

Basic Information

ID CVE-2026-40316

Source GitHub_M

Published Apr 15, 2026 at 22:49

Affected Product

Vendor OWASP-BLT

Product BLT

Version <= 2.1

Affected Versions OWASP-BLT BLT <= 2.1

CWE Classification

CWE-94 CWE-95

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor OWASP

Product BLT

Version <= 2.1

References

github.com /OWASP-BLT/BLT/security/advisories/GHSA-wxm3-64fx-cmx9

{
    "lastseen": "",
    "description": "OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.",
    "published": "2026-04-15T22:49:18.636Z",
    "modified": "2026-04-15T22:49:18.636Z",
    "type": "cve",
    "title": "OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow",
    "source": "GitHub_M",
    "references": "https://github.com/OWASP-BLT/BLT/security/advisories/GHSA-wxm3-64fx-cmx9",
    "id": "CVE-2026-40316",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-95"
    ],
    "cvelist": null,
    "sourceData": "OWASP-BLT BLT <= 2.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "BLT",
    "version": "<= 2.1",
    "vendor": "OWASP-BLT",
    "ai_description": "Remote Code Execution (RCE) vulnerability in OWASP BLT via untrusted Django model execution in workflow",
    "ai_severity": "High",
    "ai_vendor": "OWASP",
    "ai_product": "BLT",
    "ai_version": "<= 2.1",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply