CVE-2026-22869
Published: 13 January 2026
Summary
CVE-2026-22869 is a critical-severity Code Injection (CWE-94) vulnerability in Eigent Eigent. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-3 (Configuration Change Control) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes and enforces secure configuration settings for CI/CD workflows to prevent use of pull_request_target triggers with untrusted code checkouts from forks.
Restricts access to CI workflow configuration mechanisms to authorized personnel, preventing malicious modifications that enable arbitrary code execution.
Implements configuration change control processes to review and approve modifications to CI workflows, blocking introduction of vulnerable trigger and checkout combinations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows arbitrary code execution in CI workflow via malicious PR from fork, enabling supply chain compromise of development tools/CI (T1195.001/.002) and theft of secrets/credentials (T1552).
NVD Description
Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An…
more
attacker can exploit this to steal credentials, post comments, push code, or create releases.
Deeper analysisAI
CVE-2026-22869, published on 2026-01-13, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-94 (Code Injection) affecting Eigent, a multi-agent Workforce project hosted at github.com/eigent-ai/eigent. The flaw resides in the CI workflow defined in .github/workflows/ci.yml, which improperly uses the pull_request_target trigger alongside checkout of untrusted code from pull requests originating from forks. This configuration enables arbitrary code execution within the workflow environment.
Attackers can exploit this vulnerability by submitting a malicious pull request from a forked repository, requiring no special privileges per the CVSS base score (PR:N). Upon triggering the workflow, the untrusted PR code executes with repository write permissions in the base repository's context, allowing attackers to steal secrets or credentials, post comments, push arbitrary code, or create releases.
Mitigation details are outlined in the GitHub security advisory GHSA-gvh4-93cq-5xxp, with fixes applied via commit bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 and pull requests #836 and #837. Security practitioners should audit and update CI workflows to avoid pull_request_target with untrusted checkouts, applying these patches to remediate affected instances.
Details
- CWE(s)