CVE

CVE-2026-22869

Eigent Allows Arbitrary Code Execution via pull_request_target CI Workflow

CVE

CVE-2026-22869

Eigent Allows Arbitrary Code Execution via pull_request_target CI Workflow

Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pullrequesttarget trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.9

4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22869.json, https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5, https://github.com/eigent-ai/eigent/pull/836, https://github.com/eigent-ai/eigent/pull/837, https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp, https://nvd.nist.gov/vuln/detail/CVE-2026-22869

Severity

0

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

0.00145%

EPSS Percentile

0.34553%

Introduced Version

Fix Available

bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-22869

CVE-2026-22869

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

0

Basic Information

Fix Critical Vulnerabilities Instantly