CVE-2026-29075 Overview
CVE-2026-29075 is a critical code injection vulnerability in Mesa, an open-source Python library for agent-based modeling. The vulnerability exists in the benchmarks.yml GitHub Actions workflow, where checking out untrusted code may lead to arbitrary code execution in a privileged runner context. This flaw affects Mesa version 3.5.0 and prior versions, potentially allowing attackers to compromise the CI/CD pipeline and execute malicious code with elevated privileges.
Critical Impact
Attackers can exploit this vulnerability to execute arbitrary code within GitHub Actions runners, potentially leading to supply chain compromise, credential theft, and unauthorized access to repository secrets.
Affected Products
- Mesa Python Library version 3.5.0 and prior
- mesa_project mesa (Python package)
- Projects utilizing affected Mesa versions in CI/CD pipelines
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-29075 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29075
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The flaw resides in the benchmarks.yml GitHub Actions workflow configuration, which improperly handles checkout operations for untrusted code contributions.
When the workflow processes pull requests or other external contributions, it checks out the submitted code in a privileged runner environment without adequate security controls. This creates an opportunity for attackers to inject malicious code that executes during the CI/CD pipeline with the runner's elevated permissions.
The vulnerability is network-accessible and requires no authentication or user interaction to exploit, making it particularly dangerous for open-source projects that accept external contributions. Successful exploitation could result in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of this vulnerability is improper workflow configuration in benchmarks.yml that allows untrusted code to execute in a privileged context. GitHub Actions workflows that check out code from pull requests without proper isolation can inadvertently grant attackers access to repository secrets, deployment credentials, and the ability to modify the codebase.
The workflow failed to implement security best practices such as:
- Using pull_request_target with appropriate restrictions
- Isolating untrusted code execution from privileged operations
- Implementing proper permission boundaries for workflow runs
Attack Vector
The attack vector is network-based, requiring an attacker to submit a malicious pull request or contribution to a repository using the vulnerable Mesa library. The attack flow involves:
- An attacker identifies a repository using a vulnerable version of Mesa
- The attacker crafts a malicious pull request containing code designed to exploit the workflow
- When the benchmarks.yml workflow triggers, it checks out the attacker's code
- The malicious code executes within the privileged runner environment
- The attacker gains access to secrets, tokens, or the ability to modify repository contents
The vulnerability mechanism involves the unsafe checkout of untrusted code in GitHub Actions workflows. When a workflow uses actions/checkout to fetch code from a pull request without proper security boundaries, any scripts or code within that checkout can execute with the runner's permissions. For detailed technical analysis, see the GitHub Security Advisory GHSA-3j55-5q6x-2h48.
Detection Methods for CVE-2026-29075
Indicators of Compromise
- Unexpected workflow runs on privileged runners from external contributors
- Unauthorized access to repository secrets or environment variables
- Suspicious modifications to repository files following workflow execution
- Unusual network connections or data exfiltration from CI/CD runners
Detection Strategies
- Review GitHub Actions audit logs for unusual workflow execution patterns
- Monitor for unexpected changes to workflow files or repository configurations
- Implement branch protection rules to require approval for external contributions
- Use GitHub's security alerts and Dependabot to identify vulnerable Mesa versions
Monitoring Recommendations
- Enable GitHub Actions audit logging and regularly review execution history
- Set up alerts for workflow runs triggered by first-time contributors
- Monitor runner environments for unexpected processes or network activity
- Implement secret scanning to detect potential credential exposure
How to Mitigate CVE-2026-29075
Immediate Actions Required
- Update Mesa to a version containing commit c35b8cd67fc89dd680ae218e49b77f6e1ee07a27 or later
- Review all GitHub Actions workflows for similar unsafe checkout patterns
- Audit recent workflow runs for signs of exploitation
- Rotate any secrets that may have been exposed through CI/CD pipelines
Patch Information
The vulnerability has been patched via commit c35b8cd. Users should update to the latest version of Mesa that includes this fix. The patch can be verified by reviewing the GitHub commit c35b8cd67fc89dd680ae218e49b77f6e1ee07a27.
For more details on the vulnerability and remediation, consult the GitHub Security Advisory GHSA-3j55-5q6x-2h48.
Workarounds
- Restrict workflow triggers to exclude pull_request events from untrusted sources
- Use pull_request_target with explicit checkout restrictions for external contributions
- Implement manual approval requirements for workflows processing external code
- Isolate benchmark execution in separate, unprivileged workflow jobs
# Configuration example - Secure workflow trigger configuration
# Instead of triggering on all pull_request events:
# on:
# pull_request:
# branches: [main]
# Use workflow_dispatch with manual approval or restrict to trusted branches:
# on:
# push:
# branches: [main]
# workflow_dispatch:
# Or use pull_request_target with explicit ref checkout:
# on:
# pull_request_target:
# branches: [main]
# Note: When using pull_request_target, only checkout the base branch
# and never checkout or run untrusted code from the PR head
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
