CVE-2026-44246 - Vulnerability Details

Description

nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable to Agentic Workflow Injection. The workflow sets allowed_non_write_users: ${{ github.event.issue.user.login }}, which means any logged-in GitHub user who opens an issue can reach this agentic workflow with attacker-controlled content. Untrusted issue title and body content are embedded directly into the prompt of anthropics/claude-code-action, and the workflow then runs a command-capable Claude agent with permission to comment on and relabel the current issue via gh. Because this workflow is triggered automatically on issues.opened, an external attacker can submit a crafted issue that steers the agent beyond its intended issue-triage purpose and influences authenticated issue actions. This vulnerability is fixed in 2.4.1.

Published: 2026-05-12

Score: 7.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The nnU-Net issue triage workflow contains an agentic workflow injection flaw. It directly inserts the untrusted issue title and body into the prompt for an anthropic/claude-code-action agent. Because the workflow grants the agent command‑capable access to comment and relabel the issue, an attacker can craft a GitHub issue that steers the agent beyond its intended triage purpose and execute arbitrary actions on the repository. This lack of input validation and the unlimited command scope can lead to unauthorized modifications of issue metadata, comments, or labels issued under the account that triggered the workflow.

Affected Systems

The vulnerability affects the MIC‑DKFZ nnUNet project. Any repository using the default .github/workflows/issue-triage.yml workflow prior to version 2.4.1 is susceptible. Users who have not upgraded to 2.4.1 or later are at risk.

Risk and Exploitability

The CVSS score of 7.2 classifies the flaw as a high‑severity vulnerability. EPSS data is unavailable, so exact exploitation probability cannot be quantified, but the flaw is listed as not present in KEV. The likely attack vector is through the automatic issue.opened trigger, requiring an authenticated GitHub user with permission to create issues. An attacker can submit a crafted issue and manipulate the workflow to perform unauthorized actions, potentially impacting the integrity and visibility of issue tracking on projects that rely on nnUNet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MIC-DKFZ

nnUNet

affected

Version	Status	Constraints
`< 2.4.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the nnUNet repository to version 2.4.1 or later, where the issue-triage workflow has been secured.
Verify that the .github/workflows/issue-triage.yml file has been updated; if the file still exists, replace or delete it to prevent accidental execution.
If an update cannot be performed immediately, temporarily disable the issue-triage workflow by renaming the workflow file or modifying its triggers so it no longer runs on issue.opened, and monitor issue events for suspicious activity.

Generated by OpenCVE AI on May 12, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MIC-DKFZ/nnUNet/security/advisories/GHSA-63mx-j37w-gh59

History

Tue, 12 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable to Agentic Workflow Injection. The workflow sets allowed_non_write_users: ${{ github.event.issue.user.login }}, which means any logged-in GitHub user who opens an issue can reach this agentic workflow with attacker-controlled content. Untrusted issue title and body content are embedded directly into the prompt of anthropics/claude-code-action, and the workflow then runs a command-capable Claude agent with permission to comment on and relabel the current issue via gh. Because this workflow is triggered automatically on issues.opened, an external attacker can submit a crafted issue that steers the agent beyond its intended issue-triage purpose and influences authenticated issue actions. This vulnerability is fixed in 2.4.1.
Title		nnU-Net: Agentic workflow injection in `.github/workflows/issue-triage.yml` of `MIC-DKFZ/nnUNet`
Weaknesses		CWE-1427
References		https://github.com/MIC-DKFZ/nnUNet/security/advisories/GHSA-63mx-j37w-gh59
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T20:41:32.162Z

Updated: 2026-05-12T20:41:32.162Z

Reserved: 2026-05-05T16:33:55.844Z

Link: CVE-2026-44246

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T21:16:16.543

Modified: 2026-05-12T21:16:16.543

Link: CVE-2026-44246

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T22:45:15Z

Weaknesses

CWE-1427

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object