{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22869", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-12T16:20:16.747Z", "datePublished": "2026-01-13T20:38:42.662Z", "dateUpdated": "2026-01-14T23:26:18.334Z"}, "containers": {"cna": {"title": "Eigent Allows Arbitrary Code Execution via pull_request_target CI Workflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp"}, {"name": "https://github.com/eigent-ai/eigent/pull/836", "tags": ["x_refsource_MISC"], "url": "https://github.com/eigent-ai/eigent/pull/836"}, {"name": "https://github.com/eigent-ai/eigent/pull/837", "tags": ["x_refsource_MISC"], "url": "https://github.com/eigent-ai/eigent/pull/837"}, {"name": "https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5", "tags": ["x_refsource_MISC"], "url": "https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5"}], "affected": [{"vendor": "eigent-ai", "product": "eigent", "versions": [{"version": "< bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-13T20:38:42.662Z"}, "descriptions": [{"lang": "en", "value": "Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases."}], "source": {"advisory": "GHSA-gvh4-93cq-5xxp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T23:25:39.048462Z", "id": "CVE-2026-22869", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T23:26:18.334Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eigent:eigent:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D3C2A71-EA14-4494-ADBB-33F96AA8F0FC", "versionEndExcluding": "0.0.78", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases."}], "id": "CVE-2026-22869", "lastModified": "2026-01-29T17:52:40.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-13T21:15:54.917", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Exploit", "Third Party Advisory"], "url": "https://github.com/eigent-ai/eigent/pull/836"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Exploit", "Patch"], "url": "https://github.com/eigent-ai/eigent/pull/837"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:28:26.465222+00:00", "value": {"mitigation_remediation": ["Apply the patch provided in commit bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 from PR #836/837.", "Replace or remove the pull_request_target trigger so the workflow does not checkout untrusted pull request code.", "Restrict forked pull requests to read\u2011only access or enforce a mandatory code review before merging."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Eigent, the workforce automation tool owned by eigent-ai. The vulnerability exists in any release that contains the unpatched ci.yml workflow file; the specific affected versions are not listed.", "description_and_impact": "The Eigent multi\u2011agent platform contains a flaw in its CI workflow configuration that triggers on pull_request_target events and checks out code from the pull request. Because the workflow runs with repository permissions, an attacker can inject malicious steps, resulting in arbitrary code execution. This CVE is a classic input\u2011validation and injection issue, categorized as CWE\u201194. An attacker can read secrets, create new releases, push code, and post comments.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.9, indicating high severity. The EPSS score is below 1%, suggesting low probability of exploitation currently, and the issue is not listed in the CISA KEV catalog. Exploitation requires the workflow to run with pull_request_target on a repository that allows forked pull requests with write permissions. Once triggered, the attacker can run any code with the workflow\u2019s permissions, including accessing secrets and pushing changes."}}}}, "created": "2026-01-14T11:08:31.860752+00:00", "updated": "2026-04-18T06:30:25.913562+00:00", "vendors": ["eigent-ai", "eigent-ai$PRODUCT$eigent"]}