CVE-2026-45131 CloudPirates-io CVE debrief

Who should care

Organizations using CloudPirates Helm Charts in CI/CD pipelines, DevOps teams managing GitHub Actions workflows with fork-based contributions, and security teams responsible for supply chain and secret management in open-source repositories

Technical summary

The CloudPirates Open Source Helm Charts repository contained a GitHub Actions workflow (pull-request.yaml) that executed code from fork pull requests in a privileged context. This allowed unauthenticated attackers to execute arbitrary code and exfiltrate repository secrets, including Docker Hub credentials and tokens, without requiring maintainer approval. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code). The fix in commit fcf9302 addresses this execution path.

Defensive priority

CRITICAL

Recommended defensive actions

• Audit GitHub Actions workflows for pull_request_target or similar triggers that may execute untrusted code from forks without approval gates
• Require maintainer approval for workflow runs from fork pull requests, especially in repositories with access to secrets
• Review repository secret exposure and rotate any credentials that may have been accessible during the vulnerable period, including Docker Hub credentials and tokens
• Apply the patch from commit fcf9302 or upgrade to a version that includes this fix
• Implement principle of least privilege for CI/CD secrets, using environment-specific or job-specific secrets rather than repository-wide secrets where possible
• Enable branch protection rules and required reviews to prevent unauthorized workflow modifications

Evidence notes

CVE published 2026-06-01T17:17:08.450Z; modified 2026-06-01T18:14:29.087Z. Patch commit fcf9302 and GitHub Security Advisory GHSA-c47r-c7gw-cvph confirm the vulnerability and remediation. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N.

Official resources