Cyber Resilience

CVE-2026-22869

HighPublic PoCRCE

Published: 13 January 2026

Published
13 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 41.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22869 is a high-severity Code Injection (CWE-94) vulnerability in Eigent Eigent. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 41.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-3 (Configuration Change Control) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2026-22869, published on 2026-01-13, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-94 (Code Injection) affecting Eigent, a multi-agent Workforce project hosted at github.com/eigent-ai/eigent. The flaw resides in the CI workflow defined in .github/workflows/ci.yml, which improperly uses the pull_request_target trigger alongside checkout of untrusted code from pull requests originating from forks. This configuration enables arbitrary code execution within the workflow environment.

Attackers can exploit this vulnerability by submitting a malicious pull request from a forked repository, requiring no special privileges per the CVSS base score (PR:N). Upon triggering the workflow, the untrusted PR code executes with repository write permissions in the base repository's context, allowing attackers to steal secrets or credentials, post comments, push arbitrary code, or create releases.

Mitigation details are outlined in the GitHub security advisory GHSA-gvh4-93cq-5xxp, with fixes applied via commit bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 and pull requests #836 and #837. Security practitioners should audit and update CI workflows to avoid pull_request_target with untrusted checkouts, applying these patches to remediate affected instances.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An…

more

attacker can exploit this to steal credentials, post comments, push code, or create releases.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability allows arbitrary code execution in CI workflow via malicious PR from fork, enabling supply chain compromise of development tools/CI (T1195.001/.002) and theft of secrets/credentials (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68952Same product: Eigent Eigent
CVE-2026-45132Shared CWE-94
CVE-2026-8634Shared CWE-94
CVE-2026-44295Shared CWE-94
CVE-2026-41414Shared CWE-94
CVE-2026-45131Shared CWE-94
CVE-2026-29075Shared CWE-94
CVE-2026-30887Shared CWE-94
CVE-2025-27554Shared CWE-94
CVE-2021-47939Shared CWE-94

Affected Assets

eigent
eigent
≤ 0.0.78

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes and enforces secure configuration settings for CI/CD workflows to prevent use of pull_request_target triggers with untrusted code checkouts from forks.

prevent

Restricts access to CI workflow configuration mechanisms to authorized personnel, preventing malicious modifications that enable arbitrary code execution.

prevent

Implements configuration change control processes to review and approve modifications to CI workflows, blocking introduction of vulnerable trigger and checkout combinations.

References