Critical RCE Vulnerability in Microsoft GitHub Repository Disclosed

Critical RCE Vulnerability in Microsoft GitHub Repository Disclosed

First seen 22 Apr 2026, 17:48 UTC TenableScworld 79% similarity 72.6

Article Content

Browse articles
ThreatCluster

A critical flaw in Microsoft's Windows-driver-samples GitHub repository allowed for remote code execution (RCE) via issue submissions. The vulnerability, identified by Tenable, enabled attackers to inject arbitrary Python code into a GitHub Actions workflow due to unsanitized input. This could lead to the exfiltration of the GITHUB_TOKEN secret, potentially allowing unauthorized actions on behalf of Microsoft. The flaw was assigned a CVSS score of 9.3, indicating a high severity. Microsoft patched the vulnerability on March 13, 2026, after it was reported in February 2026. The incident underscores the need for stringent security measures in CI/CD pipelines and proper management of sensitive tokens. The repository has significant visibility with 7,700 stars and 5,000 forks, increasing the potential impact of exploitation. Tenable also referenced a related incident involving OpenAI, highlighting ongoing risks in software supply chains.

Key Points: • A critical RCE vulnerability in a Microsoft GitHub repository was discovered and patched. • Attackers could exploit the flaw by submitting malicious issues, executing arbitrary Python code. • The vulnerability had a CVSS score of 9.3, indicating high severity and potential for significant impact.

ThreatCluster AI

Timeline

2026-02-01
Tenable reported the vulnerability to Microsoft
2026-03-13
Microsoft released a patch for the vulnerability
2026-04-21
Tenable published advisory detailing the vulnerability
2026-04-22
SCworld reported on the vulnerability and its implications

Community

Browse all →