Platform
python
Component
owasp-blt
Fixed in
2.1.1
CVE-2026-40316 describes a Remote Code Execution (RCE) vulnerability affecting OWASP BLT versions 2.1.0 through 2.1. This flaw arises from insecure handling of pull requests within the .github/workflows/regenerate-migrations.yml workflow, allowing attackers to execute arbitrary code on the runner. The vulnerability was published on 2026-04-15 and a fix is available in version 2.1.1.
The impact of this RCE vulnerability is significant. An attacker can submit a malicious pull request containing attacker-controlled files. These files are then copied into the trusted runner workspace during the workflow execution, leveraging the pullrequesttarget trigger and full GITHUB_TOKEN write permissions. Subsequently, the python manage.py makemigrations command imports attacker-controlled website/models.py, leading to arbitrary code execution within the application's context. This could result in complete system compromise, data exfiltration, or denial of service. The attacker effectively gains control over the BLT instance's runner environment.
This vulnerability is actively being tracked and has been publicly disclosed. While no active exploitation campaigns have been confirmed, the ease of exploitation and the potential impact make it a high-priority concern. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge given the nature of the vulnerability.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade OWASP BLT to version 2.1.1 or later, which addresses the vulnerability. If upgrading is not immediately feasible, consider temporarily disabling the regenerate-migrations.yml workflow in the .github/workflows directory. Review all pull requests carefully, paying close attention to any files that might be used to inject malicious code. Implement stricter code review processes and consider using static analysis tools to identify potential vulnerabilities in pull requests before merging. Monitor the runner environment for suspicious activity.
Update OWASP BLT to version 2.1.1 or later to mitigate the remote code execution vulnerability. This update fixes the issue by preventing arbitrary code execution in the CI environment through the import of untrusted Django models.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40316 is a Remote Code Execution vulnerability in OWASP BLT versions 2.1.0 through 2.1, allowing attackers to execute arbitrary code through malicious pull requests.
If you are using OWASP BLT versions 2.1.0 through 2.1, you are potentially affected by this vulnerability. Upgrade to 2.1.1 to mitigate the risk.
Upgrade OWASP BLT to version 2.1.1 or later. As a temporary workaround, disable the .github/workflows/regenerate-migrations.yml workflow.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the official OWASP BLT security advisories and release notes for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.