CVE-2026-29075

High

Published: 06 March 2026

Published

06 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

EPSS Score 0.0013 31.7th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has…

been patched via commit c35b8cd.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the code injection flaw in Mesa's benchmarks.yml GitHub Actions workflow by applying the patch in commit c35b8cd.

CM-6 Configuration Settings good match

prevent

Establishes and enforces secure configuration settings for CI/CD workflows to prevent execution of untrusted code checked out from malicious pull requests.

SA-10 Developer Configuration Management good match

prevent

Requires developers to manage configuration changes in CI/CD pipelines like benchmarks.yml to avoid insecure handling of untrusted code.

Security SummaryAI

CVE-2026-29075 affects Mesa, an open-source Python library used for agent-based modeling, simulating complex systems, and exploring emergent behaviors. The vulnerability, published on 2026-03-06, exists in version 3.5.0 and prior versions, stemming from insecure handling of untrusted code checkout in the benchmarks.yml GitHub Actions workflow. This flaw, classified as CWE-94 (code injection), carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low complexity, lack of prerequisites, and scope change with low impacts on confidentiality, integrity, and availability.

Attackers can exploit this vulnerability without privileges or user interaction by targeting the benchmarks.yml workflow, such as through malicious pull requests or contributions that trigger untrusted code checkout. Successful exploitation grants code execution within a privileged GitHub Actions runner environment, potentially allowing attackers to run arbitrary commands, access runner secrets, or manipulate the CI/CD pipeline.

Mitigation is available via a patch in commit c35b8cd67fc89dd680ae218e49b77f6e1ee07a27. The GitHub security advisory (GHSA-3j55-5q6x-2h48) details the issue and recommends updating to a patched version of Mesa beyond 3.5.0, along with reviewing and securing GitHub Actions workflows to prevent untrusted code execution.

Details

CWE(s): CWE-94

Affected Products

mesa project

mesa

≤ 3.5.0

MITRE ATT&CK Enterprise TechniquesAI

T1677 Poisoned Pipeline Execution Execution

Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process.

attack.mitre.org →

T1195.002 Compromise Software Supply Chain Initial Access

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.

attack.mitre.org →

Why these techniques?

Vulnerability enables arbitrary code execution in GitHub Actions CI/CD pipeline via malicious pull requests, directly facilitating Poisoned Pipeline Execution (T1677) and Compromise Software Supply Chain (T1195.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/mesa/mesa/commit/c35b8cd67fc89dd680ae218e49b77f6e1ee07a27
Patch · security-advisories@github.com
https://github.com/mesa/mesa/security/advisories/GHSA-3j55-5q6x-2h48
Vendor Advisory, Mitigation · security-advisories@github.com