CVE-2026-27938 - Vulnerability Details

- WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression in Release Workflow

Description

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.

Published: 2026-02-26

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the WPGraphQL release workflow permits the content of a pull request body to be inserted directly into a shell command. This results in OS command injection, allowing an attacker to execute arbitrary commands on the Actions runner when a pull request from develop to master is merged. The outcome is a full compromise of the Actions runner and, by extension, the potentially sensitive environment in which the workflow runs.

Affected Systems

The vulnerability exists in the wp-graphql/wp-graphql repository before version 2.9.1. Any WordPress site using WPGraphQL that relies on the existing GitHub Actions release workflow and has not applied the 2.9.1 update is affected.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, yet the EPSS score is under 1% and the flaw is not listed in the CISA KEV catalog, suggesting a low to moderate exploitation probability. The likely attack vector involves an attacker submitting a crafted pull request to the develop branch that merges into master, thereby injecting malicious code into the release workflow. Once the merge occurs, the Actions runner executes the unsanitized payload, resulting in arbitrary command execution. This scenario would require the attacker to have sufficient privilege to submit pull requests. The overall risk reflects a significant potential impact balanced against a relatively low exploitation likelihood.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wp-graphql

affected

Version	Status	Constraints
`< 2.9.1`	affected	—

No data.

Vendor Product Confidence Versions

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wpgraphql

95%

Version	Status	Scheme	Platform
`[0,2.9.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WPGraphQL repository to version 2.9.1 or later, which removes the vulnerable expression from the release.yml workflow.
Alter the release.yml workflow to sanitize or delete any use of ${ github.event.pull_request.body } before passing it to shell commands.
Audit existing and newly created GitHub Actions workflows for similar unsanitized expressions and apply appropriate input validation or escaping to prevent future injection vulnerabilities.

Generated by OpenCVE AI on April 17, 2026 at 14:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58
https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x

History

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpgraphql Wpgraphql wpgraphql
Vendors & Products		Wordpress Wordpress wordpress Wpgraphql Wpgraphql wpgraphql

Thu, 26 Feb 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
Title		WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression in Release Workflow
Weaknesses		CWE-78
References		https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58 https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Wordpress Wordpress

Wpgraphql Wpgraphql

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-26T01:10:26.985Z

Updated: 2026-02-26T19:22:46.590Z

Reserved: 2026-02-25T03:11:36.689Z

Link: CVE-2026-27938

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-02-26T02:16:21.960

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27938

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object