Cyber Posture

CVE-2026-22869

CriticalPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An…

more

attacker can exploit this to steal credentials, post comments, push code, or create releases.

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match
prevent

Establishes and enforces secure configuration settings for CI/CD workflows to prevent use of pull_request_target triggers with untrusted code checkouts from forks.

CM-5 Access Restrictions for Change good match
prevent

Restricts access to CI workflow configuration mechanisms to authorized personnel, preventing malicious modifications that enable arbitrary code execution.

CM-3 Configuration Change Control good match
prevent

Implements configuration change control processes to review and approve modifications to CI workflows, blocking introduction of vulnerable trigger and checkout combinations.

Security SummaryAI

CVE-2026-22869, published on 2026-01-13, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-94 (Code Injection) affecting Eigent, a multi-agent Workforce project hosted at github.com/eigent-ai/eigent. The flaw resides in the CI workflow defined in .github/workflows/ci.yml, which improperly uses the pull_request_target trigger alongside checkout of untrusted code from pull requests originating from forks. This configuration enables arbitrary code execution within the workflow environment.

Attackers can exploit this vulnerability by submitting a malicious pull request from a forked repository, requiring no special privileges per the CVSS base score (PR:N). Upon triggering the workflow, the untrusted PR code executes with repository write permissions in the base repository's context, allowing attackers to steal secrets or credentials, post comments, push arbitrary code, or create releases.

Mitigation details are outlined in the GitHub security advisory GHSA-gvh4-93cq-5xxp, with fixes applied via commit bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 and pull requests #836 and #837. Security practitioners should audit and update CI workflows to avoid pull_request_target with untrusted checkouts, applying these patches to remediate affected instances.

Details

CWE(s)
CWE-94

Affected Products

eigent
eigent
≤ 0.0.78

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
attack.mitre.org →
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vulnerability allows arbitrary code execution in CI workflow via malicious PR from fork, enabling supply chain compromise of development tools/CI (T1195.001/.002) and theft of secrets/credentials (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References