Description
Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.
Published: 2026-03-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is in Black's GitHub Action when the use_pyproject option is enabled. The action reads pyproject.toml from the repository and interprets a direct URL as the source of the Black executable. An attacker who can submit a pull request can modify pyproject.toml to point to a malicious repository. This results in arbitrary code execution within the action runtime, allowing the attacker to access secrets or other permissions that the action possesses. The weakness stems from improper input validation (CWE-20).

Affected Systems

Vendor psf: black, product Black code formatter and GitHub Action. The vulnerability affects all deployments that use Black in GitHub Actions with use_pyproject: true and any Black version earlier than 26.3.0. No specific sub-version details are provided beyond the fix in 26.3.0.

Risk and Exploitability

The CVSS score is 8.7, indicating a high severity of potential impact. The EPSS score is less than 1%, suggesting the exploit probability is currently low, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a malicious pull request that modifies pyproject.toml to reference an attacker-controlled repository. Exploitation requires the attacker to have the ability to forge a pull request, which is feasible for core contributors or attackers with compromised credentials. Once exploited, the attacker can execute arbitrary commands in the action environment.

Generated by OpenCVE AI on March 16, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Black to version 26.3.0 or later. If an upgrade is not immediately possible, disable use_pyproject: true in the GitHub Action workflow or reject pyproject.toml changes that reference external URLs.

Generated by OpenCVE AI on March 16, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v53h-f6m7-xcgm Black's vulnerable version parsing leads to RCE in GitHub Action
History

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python black
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:python:black:*:*:*:*:*:*:*:*
Vendors & Products Python
Python black
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Psf
Psf black
Vendors & Products Psf
Psf black

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.
Title Black's vulnerable version parsing leads to RCE in GitHub Action
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Psf Black
Python Black
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T03:55:48.806Z

Reserved: 2026-03-09T21:59:02.689Z

Link: CVE-2026-31900

cve-icon Vulnrichment

Updated: 2026-03-12T19:59:38.486Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:15.960

Modified: 2026-03-16T20:02:12.730

Link: CVE-2026-31900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:21Z

Weaknesses