CloudPirates‑io’s open‑source Helm charts contained a GitHub Actions workflow that performed unsafe checkout operations, allowing anyone who could create a fork to inject malicious code into the workflow. The workflow used a Personal Access Token and an SSH signing key in its environment, which were exposed through the logs and outputs during the generation of schema files. An attacker who gains fork control could thus recover these secrets and potentially access any infrastructure or services authenticated with them, compromising confidentiality and enabling further lateral movement.

Any user who had cloned or deployed the CloudPirates‑io:helm‑charts repository before the commit fcf930211604652aec15085895b6457bc8b73b54 was affected. The vulnerability applies to all chart releases that include the generate-schema.yaml GitHub Actions workflow and have not been updated to the fixed commit. The fix is available in the newer commit, and the issue is specific to the pre‑fix versions of the helm charts.

The CVSS score of 10 indicates a critical severity, and the vulnerability is represented by CWE‑94: Improper Control of Generation of Code via Runtime Parameters. Although the EPSS score is not available, the nature of the vulnerability—exposing secrets through a public CI workflow—means it could be exploited by any malicious actor who can control a fork in the repository. The issue is not listed in the CISA KEV catalog, but given the high CVSS score and the ease of exploitation in the current workflow, it presents a significant risk to environments that rely on these helm charts.