CVE-2026-35580
Published: 07 April 2026
Summary
CVE-2026-35580 is a critical-severity Command Injection (CWE-77) vulnerability in Nsa Emissary. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents shell injection vulnerabilities by requiring validation of user-controlled workflow_dispatch inputs before interpolation into shell commands.
Mitigates the specific CVE by requiring timely flaw remediation through upgrading Emissary to version 8.39.0 or later where the injection flaw is fixed.
Enforces secure baseline configuration settings for GitHub Actions workflows to prohibit unsafe direct interpolation of untrusted inputs into shell commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Shell injection in GitHub Actions workflows via ${{ }} interpolation enables arbitrary Unix shell command execution (T1059.004); exploitation leads to repository modification and downstream supply chain compromise (T1195.002).
NVD Description
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access…
more
could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0.
Deeper analysisAI
CVE-2026-35580 is a shell injection vulnerability (CWE-77) in Emissary, a peer-to-peer based data-driven workflow engine. In versions prior to 8.39.0, GitHub Actions workflow files directly interpolated user-controlled inputs from workflow_dispatch events into shell commands using ${{ }} expression syntax, enabling command injection. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting its high severity due to broad impact potential.
An attacker with repository write access can exploit this flaw by submitting malicious workflow_dispatch inputs that inject arbitrary shell commands during workflow execution. Successful exploitation leads to repository poisoning, where the attacker can modify the repository's contents, artifacts, or secrets, resulting in supply chain compromise that propagates to all downstream users consuming Emissary workflows or dependencies.
The vulnerability is fixed in Emissary version 8.39.0, as detailed in the GitHub security advisory (GHSA-3g6g-gq4r-xjm9) and associated pull requests (#1286 and #1288). Security practitioners should upgrade to 8.39.0 or later and review GitHub Actions workflows for similar interpolation risks in user inputs.
Details
- CWE(s)