OWASP BLT RCE: GitHub Workflow Flaw Exposes Secrets

The National Vulnerability Database (NVD) has detailed a critical Remote Code Execution (RCE) vulnerability, CVE-2026-40316, affecting OWASP BLT versions prior to 2.1.1. OWASP BLT, a platform used for QA testing and vulnerability disclosure across various digital assets, is exposed due to a flaw in its .github/workflows/regenerate-migrations.yml workflow. This particular workflow, designed to regenerate migrations, inadvertently creates a backdoor for arbitrary code execution.

The core issue lies in the workflow’s use of the pull_request_target trigger, which grants full GITHUB_TOKEN write permissions. According to the NVD, the workflow copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show. Subsequently, it executes python manage.py makemigrations, which imports Django model modules, including an attacker-controlled website/models.py. Any malicious Python code within this models.py is executed during import, granting arbitrary code execution within the privileged CI environment. This provides access to GITHUB_TOKEN and repository secrets, a serious red flag for supply chain integrity.

This attack vector is particularly concerning because any external contributor can initiate it by opening a pull request. The only additional step required is for a maintainer to apply the regenerate-migrations label. This could lead to severe consequences, including secret exfiltration, complete repository compromise, and broader supply chain attacks. A patch is anticipated in version 2.1.1, and the NVD has assigned a CVSS score of 8.8 (HIGH) to this vulnerability, highlighting its severity and potential impact.