CVE-2026-44723 VowpalWabbit CVE debrief

Who should care

Organizations using Vowpal Wabbit in their machine learning pipelines should prioritize patching, especially if they rely on GitHub Actions for automated testing. Security teams responsible for CI/CD infrastructure and supply chain security should audit their own workflows for similar patterns. Development teams maintaining open-source projects with public pull request workflows should review their GitHub Actions configurations for unsanitized user inputs.

Technical summary

The vulnerability exists in the python_checks.yml workflow where `${{ github.event.pull_request.title }}` is interpolated directly into bash command strings. In GitHub Actions, expression syntax `${{ }}` is evaluated and substituted before the shell executes the command. When this substitution occurs inside double quotes within a shell command, malicious input containing quote characters, command substitution operators `$()`, or other shell metacharacters can escape the intended context and execute arbitrary commands. The workflow passes this value to run_tests_model_gen_and_load.py as a CLI argument, but the shell interpretation happens before Python ever receives the argument. With the pull_request trigger configured for all branches (`['*']`), any external contributor can create a PR with a malicious title to trigger the workflow and execute commands on the runner, potentially exfiltrating secrets, modifying repository contents, or pivoting to other systems.

Defensive priority

MEDIUM

Recommended defensive actions

• Review all GitHub Actions workflows for unsanitized user-controlled inputs embedded in shell commands, particularly `${{ github.event.pull_request.title }}` and similar context variables
• Apply the principle of least privilege to workflow triggers by restricting `branches:` filters and adding required reviewers or environment protection rules
• Use GitHub Actions expression syntax with proper quoting or environment variables rather than direct interpolation into shell commands; consider using `env:` to pass values safely
• Audit commit 998e390e80a7e8192d7849b7784bc113dbd190ad for the specific remediation pattern and apply similar fixes to any forked or related repositories
• Enable GitHub's security features including Dependabot alerts and code scanning to detect similar injection patterns in CI/CD configurations

Evidence notes

The vulnerability description indicates the workflow file .github/workflows/python_checks.yml contains four vulnerable steps across four jobs. The fix commit 998e390e80a7e8192d7849b7784bc113dbd190ad addresses the command injection by properly handling the PR title input. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N yields a base score of 5.0 (MEDIUM), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and low confidentiality impact with no integrity or availability impact.

Official resources