Description
In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy the deploy workflow’s main branch condition, the deploy job checks out the triggering workflow commit, builds it into a Docker image, pushes it as latest, and triggers Dokploy deployment. This can allow attacker-controlled pull request code to become the deployed production site image without being merged. This issue has been patched in version 1.0.1.
Published: 2026-06-11
Score: 9.5 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Duck Site before version 1.0.1 had a CI/CD workflow that executed a deployment job after a build job finished. The build job triggers on pull requests, while the deploy job ran with package‑write permissions and deployment secrets. An attacker could create a pull request that satisfies the deploy job’s main‑branch condition; the workflow would then check out the PR commit, build it into a Docker image, publish it as latest, and trigger a Dokploy deployment. This allows attacker code to be deployed to production without being merged, effectively executing arbitrary code on the production site.

Affected Systems

The vulnerable product is Duck Site from duck‑organization. All releases prior to 1.0.1 are affected. Version 1.0.1 includes a patch that prevents the deploy workflow from running on unmerged pull requests. Users should upgrade to 1.0.1 or later to remediate the issue.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.5, indicating a very high risk of remote exploitation. EPSS data is not available and the issue is not listed in the CISA KEV catalog. The attack vector is remote, relying on the ability to submit a pull request that the CI system will accept and deploy. Because the exploit requires only the standard pull request submission workflow and leverages privileged deployment secrets, the gap represents a serious security risk until the fix is applied.

Generated by OpenCVE AI on June 11, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Duck Site to version 1.0.1 or newer
  • Restrict the deployment workflow to run only on merged pull requests or protected branches so that unmerged code cannot trigger deployment
  • Revoke or limit package‑write permissions and deployment secrets used by the CI deployment job, and enforce strict authentication for deployment triggers
  • If an upgrade is delayed, temporarily disable the deploy workflow for pull requests

Generated by OpenCVE AI on June 11, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy the deploy workflow’s main branch condition, the deploy job checks out the triggering workflow commit, builds it into a Docker image, pushes it as latest, and triggers Dokploy deployment. This can allow attacker-controlled pull request code to become the deployed production site image without being merged. This issue has been patched in version 1.0.1.
Title Duck Site: Untrusted pull request code can trigger privileged production deployment
Weaknesses CWE-829
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T19:47:33.704Z

Reserved: 2026-05-18T21:25:34.497Z

Link: CVE-2026-47174

cve-icon Vulnrichment

Updated: 2026-06-11T19:41:21.455Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T19:16:45.557

Modified: 2026-06-11T21:16:22.033

Link: CVE-2026-47174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:30:09Z

Weaknesses
  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere