VYPR
← All advisories
High severityNVD Advisory· Published May 14, 2026· Updated May 14, 2026

CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration

CVE-2026-41249

Description

Summary

The GitHub Actions workflow (.github/workflows/static.yml) uses the pull_request_target trigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull_request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability.

Steps to Reproduce: 1. Fork the target repository. 2. In the forked repository, modify a file that satisfies the paths condition (e.g., src/dummy.php or composer.json) to trigger the workflow. 3. Modify the bin/console file (which is executed in the workflow steps) with the following malicious payload: ``bash #!/bin/bash echo "=== PWNED ===" echo "whoami:" whoami ``

  1. Commit the changes and open a Pull Request against the 5.0 or next branch of the base repository.
  2. The Static Tests workflow will trigger automatically. Navigate to the Actions tab and inspect the logs for the Validate YAML (or any step executing bin/console).
  3. You will see the output of whoami (typically runner), proving that the arbitrary code was successfully executed in the runner's context.

Impact: Because pull_request_target runs in the context of the base repository, the runner has access to repository secrets (e.g., PIMCORE_SECRET, PIMCORE_PRODUCT_KEY) loaded in the environment. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner's computing resources.

Recommended Mitigation: Do not checkout untrusted PR code (head.ref) when using pull_request_target if the code will be built or executed. Consider adopting a separated architecture using the workflow_run event: 1. Use the pull_request event to safely run the build/tests in an unprivileged sandbox and upload artifacts. 2. Use the workflow_run event (which is privileged) to download the artifacts and perform actions requiring secrets.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The GitHub Actions workflow uses pull_request_target with an unsafe checkout of PR head ref, enabling RCE via a malicious pull request.

Vulnerability

Overview

The GitHub Actions workflow defined in .github/workflows/static.yml uses the pull_request_target trigger, which runs in the context of the base repository with full access to secrets. The workflow dangerously checks out the unverified code from the pull request head using ref: ${{ github.event.pull_request.head.ref }} and subsequently executes thenexecutes the bin/console script from that untrusted checkout. This design flaw allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request, a pattern known as a "Pwn Request" vulnerability [1][2].

Exploitation

An attacker forks the target repository, modifies a file that satisfies the workflow's paths condition (e.g., src/dummy.php or composer.json), and replaces the bin/console file with a malicious payload. When a Pull Request is opened against the 5.0 or next branch, the workflow triggers automatically. The runner checks out the attacker's code and executes the compromised bin/console, which runs arbitrary commands (e.g., whoami) in the runner's context [1][2].

Impact

Because pull_request_target runs with the privileges of the base repository, the runner has access to repository secrets such as PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner's computing resources. The impact is critical, as it enables full compromise of the CI/CD pipeline and associated secrets [1][2].

Mitigation

The recommended mitigation is to avoid checking out untrusted PR code (head.ref) when using pull_request_target if the code will be built or executed. A safer architecture uses the pull_request event for unprivileged sandboxed tests and the workflow_run event for privileged actions that require secrets [1][2].

References
  1. CVE-2026-41249 - GitHub Advisory Database
  2. Critical Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.