CVE-2026-39866

CVE-2026-39866 is a command injection vulnerability (CWE-77) in the Lawnchair open-source Android launcher application. The issue resides in the release_update.yml GitHub Actions workflow, specifically in the handling of workflow dispatch inputs, which prior to commit fcba413f55dd47f8a3921445252849126c6266b2 allows attackers to execute arbitrary commands. Lawnchair users are not directly impacted, as the vulnerability affects the project's CI/CD pipeline on GitHub rather than the app itself. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and comprehensive impact on confidentiality, integrity, and availability.

Exploitation requires low privileges (PR:L), typically granted to authenticated GitHub users with permissions to trigger workflow dispatches on the Lawnchair repository, such as collaborators or contributors. An attacker could submit a malicious payload via the workflow dispatch input, leading to remote arbitrary code execution on the GitHub-hosted runners used by the repository. This could enable attackers to steal secrets, modify repository contents, deploy malicious code, or disrupt builds, potentially compromising the supply chain for Lawnchair releases.

The patching commit fcba413f55dd47f8a3921445252849126c6266b2 addresses the issue by sanitizing or validating the vulnerable input in release_update.yml, as detailed in the Lawnchair GitHub security advisory GHSA-9prc-pp2c-3427. Security practitioners monitoring open-source Android projects should verify that affected repositories have applied this commit and review workflow files for similar dispatch input risks, especially in public repositories with active contributors.