← Retour aux CVEs

CVE-2026-22869

CRITICAL

9.8

Description

Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie1/13/2026

Derniere modification1/29/2026

Sourcenvd

Observations honeypot0

Produits affectes

eigent:eigent

Faiblesses (CWE)

CWE-94

References

https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5(security-advisories@github.com)

https://github.com/eigent-ai/eigent/pull/836(security-advisories@github.com)

https://github.com/eigent-ai/eigent/pull/837(security-advisories@github.com)

https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.