CVE-2026-27938
Published: 26 February 2026
Summary
CVE-2026-27938 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-3 (Configuration Change Control).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of untrusted inputs such as GitHub pull request bodies before incorporation into shell commands, directly preventing the OS command injection vulnerability in the release.yml workflow.
Establishes configuration change control processes to review, test, and approve modifications to GitHub Actions workflows, helping identify and remediate insecure practices like direct PR body injection.
Mandates developer configuration management to maintain secure baselines and control changes to CI/CD artifacts like release.yml, preventing introduction or persistence of command injection flaws.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in release.yml workflow enables arbitrary shell command execution on Actions runner (T1059) and directly facilitates supply chain compromise of released WPGraphQL plugin artifacts (T1195.002).
NVD Description
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a…
more
pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
Deeper analysisAI
CVE-2026-27938 is an OS command injection vulnerability (CWE-78) in the GitHub Actions workflow file `release.yml` within the `wp-graphql/wp-graphql` repository. WPGraphQL is a plugin that provides a GraphQL API for WordPress sites. The issue affects versions prior to 2.9.1, where the workflow directly incorporates `${{ github.event.pull_request.body }}` into a `run:` shell block without sanitization.
The vulnerability can be exploited by an attacker with low privileges (PR:L) who submits a pull request from the `develop` branch to `master` containing malicious payload in the PR body. Exploitation requires a reviewer to merge the pull request (UI:R), at which point the PR body is injected verbatim into a shell command executed on the GitHub Actions runner. Successful exploitation enables arbitrary command execution on the runner, achieving high confidentiality and integrity impacts with a changed scope (CVSS 7.7).
Version 2.9.1 of WPGraphQL resolves the vulnerability. Additional details are available in the GitHub security advisory at https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x and the fixing commit at https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58.
Details
- CWE(s)