CVE-2026-41414
Published: 24 April 2026
Summary
CVE-2026-41414 is a high-severity Code Injection (CWE-94) vulnerability in Skim-Rs Skim. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Poisoned Pipeline Execution (T1677); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes and enforces secure configuration settings for GitHub Actions workflows to prevent execution of untrusted code from attacker-controlled forks and exposure of secrets.
Enforces least privilege on GITHUB_TOKEN permissions and secrets in workflows, limiting the impact of arbitrary code execution from pull requests.
Requires timely identification, reporting, and remediation of flaws in CI/CD workflow configurations, as demonstrated by the fixing commit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows arbitrary code execution from attacker-controlled PRs/forks in GitHub Actions CI workflow with secret access, directly enabling poisoned pipeline execution and compromise of development tools/CI pipeline.
NVD Description
Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation -…
more
any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
Deeper analysisAI
CVE-2026-41414 is a code injection vulnerability (CWE-94) in the GitHub Actions workflow of Skim, a Rust-based fuzzy finder tool for navigating files, lines, and commands, hosted in the skim-rs/skim repository. The issue resides in the generate-files job defined in .github/workflows/pr.yml, which checks out code from attacker-controlled forks and executes it using cargo run. This workflow has access to sensitive secrets, including SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN with contents:write permissions. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) and was published on 2026-04-24.
Any GitHub user can exploit this vulnerability by forking the repository and opening a pull request, as there are no protective gates to prevent execution of the forked code. Upon triggering the workflow, the attacker achieves arbitrary code execution in the context of the repository's CI environment, granting access to the exposed secrets. This enables actions such as writing to the repository contents via the GITHUB_TOKEN and potential misuse of the SKIM_RS_BOT_PRIVATE_KEY, resulting in high integrity impact with a changed scope.
The vulnerability has been fixed in commit bf63404ad51985b00ed304690ba9d477860a5a75, as detailed in the project's GitHub security advisory (GHSA-9g93-rxr5-xhqw). Security practitioners should ensure repositories update to this commit or later, review workflows for similar PR-triggered secret exposures, and enable branch protection rules or workflow permissions to restrict untrusted code execution.
Details
- CWE(s)