CVE-2026-41414: Skim Fuzzy Finder Vulnerability Exposes GitHub Tokens

/HIGH /CVSS 7.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-94
CVE-2026-41414: Skim Fuzzy Finder Vulnerability Exposes GitHub Tokens

The National Vulnerability Database has disclosed CVE-2026-41414, a high-severity vulnerability affecting Skim, a fuzzy finder utility. This flaw, rated 7.4 CVSS, stems from an insecure GitHub Actions workflow (.github/workflows/pr.yml) where the generate-files job executes attacker-controlled code from a pull request with elevated permissions. Specifically, it grants access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (with contents:write scope).

Crucially, there are no gates preventing exploitation. Any GitHub user can trigger this by simply opening a pull request from a fork. This means a malicious actor could leverage a crafted pull request to gain unauthorized access to sensitive repository secrets, potentially leading to repository compromise or further lateral movement within GitHub’s ecosystem. The vulnerability is addressed in commit bf63404ad51985b00ed304690ba9d477860a5a75.

This incident is a stark reminder of the inherent risks in overly permissive CI/CD pipelines, especially those executing untrusted code with elevated privileges. The attacker’s calculus here is low effort, high reward: a simple pull request can unlock critical secrets. Defenders need to scrutinize their GitHub Actions workflows, particularly those triggered by external contributions, to ensure least privilege and robust input validation.

What This Means For You

  • If your organization uses Skim, ensure you've updated to the patched version. More broadly, audit your GitHub Actions workflows for similar patterns: any workflow that checks out and executes code from untrusted forks with access to repository secrets like `GITHUB_TOKEN` or other private keys is a critical attack surface. Revoke any potentially compromised tokens immediately.

Related ATT&CK Techniques

T1552.001 Credentials In Files Credential Access T1078.004 Cloud Accounts Initial Access T1059.003 Windows Command Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.003 Execution

CVE-2026-41414: Skim Fuzzy Finder PR from Fork Triggering Cargo Run

Sigma YAML — free preview 
title: CVE-2026-41414: Skim Fuzzy Finder PR from Fork Triggering Cargo Run
id: scw-2026-04-24-ai-1
status: experimental
level: critical
description: |
  Detects the execution of 'cargo run' specifically within the context of the '.github/workflows/pr.yml' file, which is the vulnerable job in Skim Fuzzy Finder. This indicates an attempt to exploit CVE-2026-41414 by triggering code execution from an attacker-controlled fork via a pull request.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41414/
tags:
  - attack.execution
  - attack.t1059.003
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'cargo.exe'
      CommandLine|contains:
          - 'run'
      CommandLine|contains:
          - '--manifest-path'
      CommandLine|contains:
          - '.github/workflows/pr.yml'
      CommandLine|contains:
          - 'skim'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41414 RCE Skim fuzzy finder
CVE-2026-41414 RCE .github/workflows/pr.yml generate-files job
CVE-2026-41414 Information Disclosure Access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN
CVE-2026-41414 RCE Exploitable via pull request from a fork
CVE-2026-41414 Patch Commit bf63404ad51985b00ed304690ba9d477860a5a75

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 24, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Featured

Daily Security Digest — 2026-04-24

12 vulnerability disclosures (3 Critical, 9 High) and 3 curated intelligence stories from 2 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-1321cwe-113cwe-183cwe-441cwe-918critical
/SCW Daily Digest /CRITICAL

Dgraph CVE-2026-41492: Unauthenticated Admin Token Exposure Via /debug/vars

CVE-2026-41492 — Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on...

vulnerabilityCVEcriticalhigh-severitycwe-200
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse

CVE-2026-41421 — SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer....

vulnerabilityCVEhigh-severitycode-executioncwe-78cwe-79
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma