Description
OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.
Published: 2026-04-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the OWASP BLT workflow permits attacker-supplied Python code to run when a pull request is processed. The workflow, defined in .github/workflows/regenerate-migrations.yml, pulls the submitter’s site models file into the trusted runner environment and runs Django’s makemigrations command. During import of models.py any top-level statements are evaluated, allowing the attacker to execute arbitrary code with the full privileges of the CI job. This code runs under a user token that has write access to the repository and all repository secrets, enabling secret exfiltration, repository tampering, or supply‑chain injection.

Affected Systems

This flaw affects all instances of the OWASP BLT platform running versions earlier than 2.1.1. The product is identified by the vendor OWASP‑BLT:BLT and the vulnerable workflow exists in the public GitHub repository that hosts the project

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity level. The EPSS value is unavailable, but the vulnerability is known to the community and is not listed in the CISA Known Exploit Vulnerabilities catalog. Remote code execution is achieved only when a maintainer applies the regenerate‑migrations label to the pull request. Therefore the attack vector requires an external contributor to open a pull request and a maintainer to apply the label, after which the attacker can run code in the privileged CI environment.

Generated by OpenCVE AI on April 16, 2026 at 02:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OWASP BLT instance to version 2.1.1 or later once the vendor releases the fix.
  • If the patch is not yet released, temporarily disable or delete the .github/workflows/regenerate-migrations.yml workflow until a correct version arrives, or modify it to remove the pull_request_target trigger and prevent execution of untrusted code.
  • Ensure that the GITHUB_TOKEN used by the workflow has only the minimal permissions required, or replace it with a custom token scoped to read‑only access during the migration step.

Generated by OpenCVE AI on April 16, 2026 at 02:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Owasp-blt
Owasp-blt blt
Vendors & Products Owasp-blt
Owasp-blt blt

Wed, 15 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.
Title OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow
Weaknesses CWE-94
CWE-95
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Owasp-blt Blt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T14:18:12.374Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40316

cve-icon Vulnrichment

Updated: 2026-04-16T14:17:55.271Z

cve-icon NVD

Status : Received

Published: 2026-04-15T23:16:10.220

Modified: 2026-04-15T23:16:10.220

Link: CVE-2026-40316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:12:12Z

Weaknesses