Description
CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens without requiring maintainer approval. This issue has been patched via commit fcf9302.
Published: 2026-06-01
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker submitting a pull request from a forked repository to execute arbitrary code within the pull_request_target workflow, causing the workflow to run in a privileged context. This results in the exposure and exfiltration of repository secrets such as Docker Hub credentials and other tokens. The weakness is identified as CWE‑94, reflecting unsafe code execution.

Affected Systems

The issue affects the CloudPirates‑io helm‑charts repository, specifically all releases or branches of the open‑source Helm charts collection prior to commit fcf9302. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score is 10, indicating the highest severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a fork pull request that triggers the pull_request_target event; the attacker does not need maintainer approval to cause the workflow to run with repository secrets exposed.

Generated by OpenCVE AI on June 1, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the repository to the patched commit fcf9302, which removes the vulnerable workflow or correctly restricts its execution.
  • Disable or modify the pull_request_target event so that it only runs for trusted contributors, for example by adding a safeguard that rejects forked pull requests or by switching to the pull_request event that does not run with elevated permissions.
  • Configure minimal workflow permissions in the repository settings, ensuring that secrets are only exposed to workflows that explicitly require them, and revoke any unused secrets from the repository.
  • Audit and review the actions and workflow files regularly to detect any privileged executions that are unintended or unnecessary.
  • Set up alerts for abnormal secret usage or egress so that suspicious exfiltration attempts can be identified and investigated promptly.

Generated by OpenCVE AI on June 1, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens without requiring maintainer approval. This issue has been patched via commit fcf9302.
Title CloudPirates Open Source Helm Charts: GitHub Actions pull_request_target workflow allows secret exfiltration via fork pull requests
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T19:06:45.455Z

Reserved: 2026-05-08T20:08:17.209Z

Link: CVE-2026-45131

cve-icon Vulnrichment

Updated: 2026-06-01T19:06:33.153Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:08.450

Modified: 2026-06-01T18:14:29.087

Link: CVE-2026-45131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:45:34Z

Weaknesses