Command Injection in Cocos Engine workflow
Description
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml was subject to command injection. The web-interface-check.yml was triggered when a pull request was opened or updated and contained the user controllable field (${{ github.head_ref }} – the name of the fork’s branch). This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection in Cocos Engine's GitHub Actions workflow allows attackers to execute arbitrary commands via a crafted fork branch name.
Vulnerability
CVE-2023-26493 is a command injection vulnerability in Cocos Engine's GitHub Actions workflow web-interface-check.yml. The workflow was triggered on pull_request_target events and used the user-controllable field ${{ github.head_ref }} (the name of the fork's branch) in a git command without sanitization. This affected the Cocos Engine repository up to version 3.7.0 [1].
Exploitation
An attacker forks the cocos/cocos-engine repository, creates a branch with a malicious name (e.g., develop;echo${IFS}"hello";#), and opens a pull request to the base repository. The workflow runs, executing the injected command in the context of the GitHub Runner with full write access to the repository token, allowing arbitrary command execution [1].
Impact
Successful exploitation gives the attacker control over the GitHub Runner, enabling theft of secrets like GITHUB_TOKEN and unauthorized modification of the repository contents [1].
Mitigation
The vulnerable workflow was disabled on 2023-02-17 and removed from the repository on 2023-02-21 via commit 6d06aefa2684e20da79e7ceaf41f728c1a8d7a41 [2][3]. No action is required from users, as the workflow has been deleted [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cocos/cocos-enginev5Range: < 6d06aefa26
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/cocos/cocos-engine/blob/2362df28a4b3016dbda804899041279701929728/.github/workflows/web-interface-check.ymlmitrex_refsource_MISC
- github.com/cocos/cocos-engine/commit/6d06aefa2684e20da79e7ceaf41f728c1a8d7a41mitrex_refsource_MISC
- securitylab.github.com/advisories/GHSL-2023-027_Engine_for_Cocos_Creator/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.