Description
QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it used the `pull_request_target` trigger and then checked out and executed untrusted pull request code in a privileged context. Workflows triggered by `pull_request_target` ran with the base repository's credentials and access to secrets. If these workflows then checked out and executed code from the head of an external pull request (which could have been attacker controlled), the attacker could have executed arbitrary commands with elevated privileges. This insecure pattern has been documented as a security risk by GitHub and security researchers. Commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 removed the vulnerable code.
Published: 2026-01-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution, Repository Compromise
Action: Immediate Patch
AI Analysis

Impact

A vulnerable GitHub Actions workflow in the QGIS repository allowed arbitrary code execution and potential repository takeover. The workflow used the pull_request_target trigger, which runs with repository secrets and elevated privileges, and it checked out and executed code from the head of an external pull request. This pattern gave an attacker the ability to run any commands on the CI environment and gain access to secrets or modify repository content, reflecting a classic example of executing untrusted code with privileged access (CWE‑863). The vulnerability would let an adversary compromise the integrity and confidentiality of the repository and any downstream services.

Affected Systems

The vulnerability existed in the QGIS project’s GitHub Actions workflow named "pre‑commit checks" prior to the commit identified by 76a693cd91650f9b4e83edac525e5e4f90d954e9. All ongoing builds that employed that workflow before the commit were potentially impacted. No specific QGIS package version was cited, but any clone or fork potentially incorporating the vulnerable workflow before the fix was at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, but the EPSS score of less than 1% suggests a currently low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require the attacker to submit a pull request to the repository; the GitHub Actions workflow would then run with the repository’s credentials, allowing the attacker to execute arbitrary code, leak secrets, or alter the code base.

Generated by OpenCVE AI on April 18, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 to the QGIS repository to remove the vulnerable workflow.
  • Restrict or eliminate pull_request triggers that execute untrusted code in a privileged context, and configure workflow permissions to the least privilege needed.
  • Audit all existing GitHub Actions workflows in the repository to ensure they do not checkout and execute untrusted code with elevated permissions; reconfigure as necessary to follow least‑privilege principles.

Generated by OpenCVE AI on April 18, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Qgis
Qgis qgis
Vendors & Products Qgis
Qgis qgis

Tue, 27 Jan 2026 01:00:00 +0000

Type Values Removed Values Added
Description QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it used the `pull_request_target` trigger and then checked out and executed untrusted pull request code in a privileged context. Workflows triggered by `pull_request_target` ran with the base repository's credentials and access to secrets. If these workflows then checked out and executed code from the head of an external pull request (which could have been attacker controlled), the attacker could have executed arbitrary commands with elevated privileges. This insecure pattern has been documented as a security risk by GitHub and security researchers. Commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 removed the vulnerable code.
Title QGIS had validated RCE and Repository Takeover via GitHub Actions
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Qgis Qgis
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T20:54:42.308Z

Reserved: 2026-01-23T00:38:20.548Z

Link: CVE-2026-24480

cve-icon Vulnrichment

Updated: 2026-01-27T20:54:38.754Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T01:16:02.160

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24480

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-27T00:32:04Z

Links: CVE-2026-24480 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses