Description
Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
Published: 2026-04-24
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate patch
AI Analysis

Impact

The vulnerability allows an attacker to execute arbitrary code within the CI environment of the Skim repository. The flaw resides in the generate-files job of the GitHub Actions workflow pr.yml, where code from an attacker‑controlled fork is uncheckedly checked out and run with cargo run, giving the process the SKIM_RS_BOT_PRIVATE_KEY and a GITHUB_TOKEN with contents:write permissions. This is a classic CWE‑94 scripting or code injection flaw. Successful exploitation would give the attacker full control over the CI run, enabling arbitrary command execution, secrets exfiltration, or deployment of malicious binaries.

Affected Systems

Skim is an open‑source fuzzy finder maintained under skim-rs/skim. The affected component is the repository’s GitHub Actions workflow file pr.yml, which is part of every release of the project. No specific product release version number is listed in the advisory; the issue is fixed by the commit bf63404ad51985b00ed304690ba9d477860a5a75. Administrators using any version predating this commit are vulnerable.

Risk and Exploitability

The CVSS base score of 7.4 indicates a high‑severity vulnerability. The EPSS score is reported as < 1 %, implying that exploitation attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is server‑side code execution via GitHub Actions, which can be triggered by any public user submitting a pull request from a fork. Since the workflow runs with elevated tokens, the likelihood of an attacker successfully abusing it is high if an organization relies on the workflow unchanged. The lack of gates or checks means exploitation requires no additional privileges beyond authoring a fork.

Generated by OpenCVE AI on April 28, 2026 at 05:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Skim to a fixed version that includes commit bf63404ad51985b00ed304690ba9d477860a5a75, ensuring the repository’s workflow file is replaced.
  • If the older workflow must remain, modify the GitHub Actions configuration so that the generate‑files job runs only on pull_request events (not pull_request_target) or add a guard that refuses checkouts from non‑trusted forks.
  • Limit the permissions of GITHUB_TOKEN in the workflow to contents:read and remove the SKIM_RS_BOT_PRIVATE_KEY from the environment, or use a dedicated, least‑privileged token.
  • Monitor workflow execution logs for unexpected commands and consider disabling the generate‑files job until the update is applied.

Generated by OpenCVE AI on April 28, 2026 at 05:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:skim-rs:skim:*:*:*:*:*:rust:*:*

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Skim-rs
Skim-rs skim
Vendors & Products Skim-rs
Skim-rs skim

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
References

Fri, 24 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
Title Skim: Arbitrary code execution via pull_request_target fork checkout in pr.yml
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N'}

Subscriptions

Skim-rs Skim
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:45:23.120Z

Reserved: 2026-04-20T15:32:33.812Z

Link: CVE-2026-41414

cve-icon Vulnrichment

Updated: 2026-04-27T13:45:14.144Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T19:17:13.020

Modified: 2026-05-01T19:03:15.480

Link: CVE-2026-41414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses