PatchSiren cyber security CVE debrief
CVE-2026-45132 CloudPirates-io CVE debrief
A critical vulnerability in CloudPirates Open Source Helm Charts exposed sensitive credentials through unsafe GitHub Actions workflow practices. The generate-schema.yaml workflow, prior to commit fcf9302, performed unsafe repository checkouts and credential handling that allowed fork-controlled code to access a Personal Access Token and SSH signing key. This represents a supply-chain security risk where malicious pull requests from forks could exfiltrate secrets with repository write access and code signing capabilities. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) reflects network exploitability, low attack complexity, no required privileges or user interaction, changed scope, and high impact to confidentiality and integrity. The CWE-94 classification indicates code injection as the underlying weakness. The vulnerability was patched via commit fcf9302 which addressed the unsafe checkout and credential handling practices. No known exploitation in ransomware campaigns has been reported.
- Vendor
- CloudPirates-io
- Product
- helm-charts
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations using CloudPirates Helm Charts in production environments, DevOps teams managing Helm deployments, security teams monitoring supply chain risks, and any maintainers of open-source projects with similar GitHub Actions workflows handling secrets during fork PR processing
Technical summary
The generate-schema.yaml workflow in CloudPirates Open Source Helm Charts performed unsafe repository checkouts when processing pull requests from forks. This practice exposed a Personal Access Token and SSH signing key to potentially malicious code controlled by fork owners. The vulnerability enables unauthorized access to repository resources and code signing capabilities without requiring privileges or user interaction. Scope change in CVSS reflects potential impact beyond the vulnerable component to dependent systems. Patch commit fcf9302 remediated the unsafe checkout and credential handling practices.
Defensive priority
critical
Recommended defensive actions
- Audit all GitHub Actions workflows for unsafe checkout practices, particularly those using actions/checkout with untrusted pull request code from forks
- Review and rotate any Personal Access Tokens or SSH signing keys that may have been exposed through the vulnerable generate-schema.yaml workflow
- Implement the principle of least privilege for CI/CD secrets; use fine-grained tokens with minimal required permissions rather than classic PATs
- Enable branch protection rules requiring signed commits and restrict workflows that handle secrets from running on pull requests from forks without maintainer approval
- Apply the patch from commit fcf9302 and review the security advisory GHSA-r874-j8fr-x2pj for specific remediation guidance
- Consider using GitHub's OIDC-based authentication where possible to avoid long-lived secrets in CI/CD pipelines
- Monitor repository access logs and audit secret usage for anomalous activity during the exposure window
Evidence notes
CVE description confirms the generate-schema.yaml workflow exposed Personal Access Token and SSH signing key to fork-controlled code due to unsafe checkout and credential handling practices prior to commit fcf9302. CVSS 3.1 vector from NVD source metadata: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N. CWE-94 identified as primary weakness. Two GitHub references provided: patch commit and security advisory.
Official resources
2026-06-01T17:17:08.640Z