CVE-2026-31900

CVE-2026-31900 is a high-severity vulnerability in the GitHub Action provided by Black, an uncompromising Python code formatter. The issue arises when the action is configured with the `use_pyproject: true` option, which reads the Black version from the repository's `pyproject.toml` file. A malicious actor can exploit this by submitting a pull request that modifies `pyproject.toml` to reference a direct URL pointing to a malicious repository, potentially leading to arbitrary code execution within the GitHub Action's context.

The vulnerability can be exploited by any unauthenticated attacker with the ability to submit a pull request to a target repository using the affected Black GitHub Action. No special privileges, user interaction, or complex setup is required, as indicated by the CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants the attacker arbitrary code execution in the action's runner environment, enabling access to any secrets or permissions configured for that workflow, such as repository tokens or deployment credentials.

The Black project addressed this in version 26.3.0, as detailed in the security advisory (GHSA-v53h-f6m7-xcgm) and corresponding commit (0a2560b981364dde4c8cf8ce9d164c40669a8611). Security practitioners should update to Black 26.3.0 or later, disable the `use_pyproject: true` option in workflows, and review pull request workflows for supply chain risks, particularly in repositories relying on dynamic dependency resolution from untrusted sources.