High severity7.4NVD Advisory· Published Apr 24, 2026· Updated May 1, 2026
CVE-2026-41414
CVE-2026-41414
Description
Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
Affected products
1Patches
1bf63404ad519chore: delete dangerous (and not that useful) PR action in favor of a just recipe
2 files changed · +28 −55
.github/workflows/pr.yml+0 −55 removed@@ -1,55 +0,0 @@ -name: "Pull Requests" -on: - pull_request_target: - types: - - opened - - edited - - synchronize - - labeled - - unlabeled - -jobs: - check: - runs-on: ubuntu-latest - permissions: - pull-requests: write - steps: - - uses: thehanimo/pr-title-checker@v1.4.3 - with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - pass_on_octokit_error: false - configuration_path: .github/pr-title-checker-config.json - generate-files: - runs-on: ubuntu-22.04 - permissions: - contents: write - steps: - - uses: actions/create-github-app-token@v3 - id: app-token - with: - app-id: ${{ vars.SKIM_RS_BOT_APP_ID }} - private-key: ${{ secrets.SKIM_RS_BOT_PRIVATE_KEY }} - - name: Checkout Git repo - uses: actions/checkout@v6 - with: - fetch-depth: 0 - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - token: ${{ steps.app-token.outputs.token }} - - run: rustup toolchain install - - name: Cache - uses: Swatinem/rust-cache@v2 - - name: Generate files - run: | - cargo run -- --man > man/man1/sk.1 - cargo run -- --shell bash > shell/completion.bash - cargo run -- --shell zsh > shell/completion.zsh - cargo run -- --shell fish > shell/completion.fish - cargo run -- --shell nushell > shell/completion.nu - - name: Push modified files - run: | - git branch -v - git config user.email "skim-bot@skim-rs.github.io" - git config user.name "Skim bot" - git commit -am 'chore: generate completions & manpage' || exit 0 - git push
justfile+28 −0 modified@@ -1,3 +1,5 @@ +alias pr := pr-review + bump-version version: sed -i 's/^version = ".*"/version = "{{ version }}"/' ./Cargo.toml @@ -58,3 +60,29 @@ bench-plot bins="./target/release/sk sk fzf": done cargo bench --bench cli -- plot -i /tmp/bench.json + +pr-review id="": + #!/usr/bin/env bash + set -euo pipefail + + PR_ID="{{ id }}" + if [[ -z "$PR_ID" ]]; then + PR_ID="$(gh pr list | sk | cut -d' ' -f1)" + fi + echo "Checking out PR $PR_ID" + + gh pr checkout "$PR_ID" + + # Check the PR title + PR_TITLE="$(gh pr view | head -n1 | sed 's@title:\s\+@@;s@skim-rs/skim#.*@@')" + echo "Checking $PR_TITLE by simulating a git cliff generation" + + git cliff --from-context <(echo '[{"commits":[{"id": "foo", "message": "'$PR_TITLE'", "links": [], "author": {"name": "","timestamp":1}, "committer": {"name": "", "timestamp":0}, "merge_commit": false,"github":{"pr_labels":[], "is_first_time": false},"gitlab":{"pr_labels":[],"is_first_time":false},"gitea":{"pr_labels":[],"is_first_time":false},"bitbucket":{"pr_labels":[],"is_first_time":false},"azure_devops":{"pr_labels":[],"is_first_time":false}}],"submodule_commits":{},"github":{"contributors":[]},"gitlab":{"contributors":[]},"gitea":{"contributors":[]},"bitbucket":{"contributors":[]},"azure_devops":{"contributors":[]}}]') -s all | grep -Ev '^(## \[unreleased\]|)$' | grep -q '^.\+$' + + echo "Check done, PR title is valid" + + git diff master + tty -s && read -p "Confirm code review ?" + + just generate-files + (git add man/ shell/ && git commit -m 'chore: generate-files' && git push) || echo "Nothing to do"
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.