CVE-2026-35580 Overview
CVE-2026-35580 is a command injection vulnerability affecting Emissary, a P2P based data-driven workflow engine developed by the National Security Agency (NSA). Prior to version 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users.
Critical Impact
This vulnerability enables supply chain attacks through GitHub Actions workflow manipulation, potentially compromising all downstream users of the Emissary project.
Affected Products
- Emissary versions prior to 8.39.0
- GitHub Actions workflows in the NationalSecurityAgency/emissary repository
Discovery Timeline
- 2026-04-07 - CVE-2026-35580 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35580
Vulnerability Analysis
This vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), commonly known as command injection. The flaw exists within GitHub Actions workflow files where user-supplied inputs from workflow_dispatch events are directly interpolated into shell commands without proper sanitization.
GitHub Actions uses the ${{ }} expression syntax for variable interpolation. When user-controlled inputs are placed directly within shell commands using this syntax, attackers can break out of the intended context and inject arbitrary shell commands. This is particularly dangerous in CI/CD pipelines as it can lead to code execution within the build environment with access to repository secrets, deployment credentials, and the ability to modify repository contents.
Root Cause
The root cause is the unsafe use of GitHub Actions expression syntax (${{ }}) for interpolating user-controlled workflow_dispatch inputs directly into shell command strings. This pattern allows attackers to inject shell metacharacters and arbitrary commands that execute in the context of the GitHub Actions runner.
Safe alternatives include using environment variables or intermediate steps to sanitize inputs before they reach shell commands, or using GitHub Actions' built-in input validation features.
Attack Vector
The attack requires network access and elevated privileges (repository write access). An attacker with the ability to trigger workflow_dispatch events could craft malicious input values containing shell metacharacters and commands. When the workflow executes, these payloads would be interpreted by the shell, allowing command execution within the CI/CD environment.
This attack vector is particularly concerning for supply chain security as compromised workflows can:
- Exfiltrate repository secrets and credentials
- Modify build artifacts to inject malicious code
- Poison releases distributed to downstream users
- Establish persistence through modified workflow files
The vulnerability mechanism involves user-controlled workflow dispatch inputs being passed directly into shell contexts. When a malicious actor crafts an input containing shell metacharacters such as semicolons, backticks, or command substitution syntax, the shell interpreter executes these as commands rather than treating them as literal string values. For detailed technical analysis, see the GitHub Security Advisory GHSA-3g6g-gq4r-xjm9.
Detection Methods for CVE-2026-35580
Indicators of Compromise
- Unusual or unexpected workflow runs triggered via workflow_dispatch with suspicious input values
- Workflow execution logs containing unexpected command outputs or error messages
- Modifications to repository files, releases, or artifacts following workflow execution
- Unexpected access to repository secrets or environment variables in workflow logs
Detection Strategies
- Audit GitHub Actions workflow files for direct use of ${{ }} expressions in shell command contexts
- Monitor workflow dispatch events for inputs containing shell metacharacters (;, |, $(), backticks)
- Review GitHub Actions audit logs for unusual workflow trigger patterns
- Implement static analysis scanning of workflow files to detect unsafe expression usage
Monitoring Recommendations
- Enable GitHub Advanced Security code scanning to detect workflow injection patterns
- Configure alerts for workflow_dispatch events from unexpected sources or with anomalous inputs
- Monitor for changes to .github/workflows/ directory files
- Review GitHub Actions runner logs for signs of command injection attempts
How to Mitigate CVE-2026-35580
Immediate Actions Required
- Upgrade Emissary to version 8.39.0 or later immediately
- Audit all GitHub Actions workflow files for unsafe ${{ }} expression usage in shell contexts
- Review recent workflow execution logs for signs of exploitation
- Rotate any secrets that may have been exposed through CI/CD pipelines
Patch Information
The vulnerability has been fixed in Emissary version 8.39.0. The fix was implemented through Pull Request #1286 and Pull Request #1288. Organizations using Emissary should upgrade to the patched version immediately.
For additional details, refer to the GitHub Security Advisory GHSA-3g6g-gq4r-xjm9.
Workarounds
- Use environment variables instead of direct expression interpolation: set inputs as environment variables first, then reference them safely
- Implement input validation at the workflow level before any shell commands execute
- Restrict workflow_dispatch permissions to trusted maintainers only
- Consider disabling manual workflow triggers until patches can be applied
# Safer pattern: Use environment variables instead of direct interpolation
# Instead of: run: echo "${{ github.event.inputs.user_input }}"
# Use:
env:
USER_INPUT: ${{ github.event.inputs.user_input }}
run: echo "$USER_INPUT"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
