Description
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Melange, a tool for building APK packages from declarative pipelines, has a flaw in how it handles the working-directory field. From version 0.3.0 to 0.40.2 an attacker who can supply build input values but cannot edit the pipeline definition can inject arbitrary shell commands. The vulnerable field is inserted into shell scripts without quote escaping, allowing command substitution and execution. This weakness is a classic System Call Injection (CWE‑78) and enables an attacker to run arbitrary commands during the build process.

Affected Systems

The affected product is Chainguard Dev's Melange, versions 0.3.0 through 0.40.2 inclusive. Build inputs from an untrusted source can trigger the injection when the pipeline references ${{vars.*}} or ${{inputs.*}} within the working-directory parameter. The patch, released in version 0.40.3, corrects the escaping logic.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity. The EPSS score is <1%, suggesting a low probability of exploitation under current conditions, and the vulnerability is not listed in the CISA KEV catalog. Attackers need only to supply malicious input values to an automated build; no control over pipeline code is required. The build system must run with sufficient privileges for the exploit to be valuable, but the flaw does not require user interaction beyond providing allowed inputs.

Generated by OpenCVE AI on April 17, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chainguard Melange to 0.40.3 or newer to apply the fix that correctly escapes working-directory values.
  • In the meantime, avoid using dynamic input substitutions in the working-directory field. Use static directory paths or remove any ${{vars.*}} or ${{inputs.*}} expressions from that parameter when triggering builds.
  • Add input validation or sanitization on build-input values to strip or escape shell metacharacters before they are propagated to script contexts, ensuring that any injected path is properly quoted.
  • Monitor build logs for unexpected shell command execution and enforce least privilege on build executor credentials to limit potential damage if an injection occurs.

Generated by OpenCVE AI on April 17, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vqqr-rmpc-hhg2 melange pipeline working-directory could allow command injection
History

Wed, 18 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard melange
CPEs cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*
Vendors & Products Chainguard
Chainguard melange

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev melange
Vendors & Products Chainguard-dev
Chainguard-dev melange

Wed, 04 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.
Title melange pipeline working-directory could allow command injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Chainguard Melange
Chainguard-dev Melange
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:33:09.866Z

Reserved: 2026-01-27T14:51:03.059Z

Link: CVE-2026-24844

cve-icon Vulnrichment

Updated: 2026-02-05T14:23:15.696Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:05.550

Modified: 2026-02-18T15:55:43.790

Link: CVE-2026-24844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses