CVE-2026-24844

High

Published: 04 February 2026

Published

04 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0001 1.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24844 is a high-severity OS Command Injection (CWE-78) vulnerability in Chainguard Melange. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and error handling of user-provided build inputs using ${{vars.*}} or ${{inputs.*}} before embedding into shell scripts without quote escaping, directly preventing command injection.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific command injection flaw by patching melange to version 0.40.3.

SI-5 Security Alerts, Advisories, and Directives good match

detect

Ensures the organization receives and acts on security advisories such as GHSA-vqqr-rmpc-hhg2, facilitating discovery and remediation of this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Command injection (CWE-78) directly enables arbitrary Unix shell execution via unsanitized ${{vars.*}}/${{inputs.*}} substitutions in shell scripts (T1059.004); exploitation of the vulnerable melange binary to achieve code execution matches T1203.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or…

${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.

Deeper analysisAI

CVE-2026-24844 is a command injection vulnerability (CWE-78) in melange, a tool for building APK packages using declarative pipelines. The issue affects versions from 0.3.0 up to but not including 0.40.3, where user-provided build input values using ${{vars.*}} or ${{inputs.*}} substitutions in the working-directory field are embedded into shell scripts without proper quote escaping, enabling arbitrary shell command execution. The vulnerability carries a CVSS v3.1 base score of 7.9 (AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

An attacker with the ability to supply build input values—but without permission to modify pipeline definitions—can exploit this if the pipeline incorporates the affected substitutions in working-directory. Exploitation requires local access, low privileges, low complexity, and user interaction, but achieves changed scope with high impacts on confidentiality and integrity, such as unauthorized data access or modification.

The vulnerability has been patched in melange version 0.40.3. Official advisories and the fixing commit are available on the Chainguard GitHub repository, including the security advisory at GHSA-vqqr-rmpc-hhg2 and the patch commit e51ca30cfb63178f5a86997d23d3fff0359fa6c8.