CVE 9.5 CRITICAL

Duck Site: Untrusted pull request code can trigger privileged production deployment_CVE-2026-47174

June 11, 2026 invoker category_cve
9.5 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy the deploy workflow’s main branch condition, the deploy job checks out the triggering workflow commit, builds it into a Docker image, pushes it as latest, and triggers Dokploy deployment. This can allow attacker-controlled pull request code to become the deployed production site image without being merged. This issue has been patched in version 1.0.1.

AI Analysis

Untrusted pull request code can trigger privileged production deployment

Basic Information

ID CVE-2026-47174
Source GitHub_M
Published Jun 11, 2026 at 18:46

Affected Product

Vendor duck-organization
Product duck-site
Version < 1.0.1
Affected Versions duck-organization duck-site < 1.0.1

CWE Classification

CWE-829

AI Assessment

AI Score 9.5 / 10
AI Severity Critical
Vendor duck-organization
Product duck-site
Version < 1.0.1

References

πŸ’­ Join the Security Discussion

πŸ”’ Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.