Shell Injection Vulnerability in Emissary Workflow Engine by National Security Agency
CVE-2026-35580

9.1CRITICAL

Key Information:

Vendor

Nationalsecurityagency

Status
Emissary
Vendor
CVE Published:
7 April 2026

What is CVE-2026-35580?

The Emissary workflow engine, developed by the National Security Agency, faces a security challenge due to shell injection vulnerabilities in its GitHub Actions workflow files prior to version 8.39.0. The issue arises when user-controlled inputs from the workflow_dispatch feature are directly used in shell commands without adequate validation, allowing attackers with repository write permissions to exploit this flaw. This could result in arbitrary command execution, potentially leading to repository poisoning and compromises in the supply chain, impacting downstream users. Users are encouraged to upgrade to version 8.39.0 or later to mitigate this risk.

Affected Version(s)

emissary < 8.39.0

References

https://github.com/NationalSecurityAgency/emissary/securi...
x_refsource_CONFIRM
https://github.com/NationalSecurityAgency/emissary/pull/1286
x_refsource_MISC
https://github.com/NationalSecurityAgency/emissary/pull/1288
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.