CVE-2026-44358 espressif CVE debrief

Who should care

Organizations using Espressif Shared GitHub DangerJS in CI/CD pipelines, particularly those processing external fork pull requests via pull_request_target workflows. Security teams responsible for GitHub Actions supply chain security and developers maintaining reusable GitHub Actions workflows.

Technical summary

The vulnerability exists in entrypoint.sh which copies fork checkout into caller workspace before DangerJS invocation. This creates untrusted search paths for both binary and Node.js module resolution. A malicious fork pull request processed via pull_request_target workflow can substitute attacker-controlled code to execute within the action container. The fix in 1.0.1 eliminates this unsafe workspace sharing behavior.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Espressif Shared GitHub DangerJS to version 1.0.1 or later
• Review GitHub Actions workflows using pull_request_target triggers for similar untrusted search path vulnerabilities
• Audit fork pull request processing in CI/CD pipelines to ensure isolation between caller and fork code
• Verify DangerJS invocations use absolute paths or controlled environments rather than caller workspace resolution
• Monitor for suspicious activity in repositories using affected versions prior to 2026-05-28

Evidence notes

CVE published 2026-05-28. Fix commit d742408028135ea200982b5b2e3e438dc4e5a25d addresses the untrusted search path. CVSS 8.2 (HIGH) reflects network attack vector with low complexity, no privileges required, user interaction needed, scope change, low confidentiality impact, high integrity impact, no availability impact.

Official resources