Authorization Bypass in Skim Fuzzy Finder by Skim-rs
CVE-2026-41414

7.4HIGH

Key Information:

Vendor: Skim-rs
Status: Skim
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41414?

A severe issue in the Skim fuzzy finder allows unauthorized execution of attacker-controlled code through a GitHub Workflow configuration. The 'generate-files' job in '.github/workflows/pr.yml' does not implement any security measures to prevent exploitation. This flaw permits any GitHub user to initiate malicious activity by submitting a pull request from a forked repository. The attack leverages the SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN, leading to potential unauthorized access and data manipulation. Remediation has been addressed in commit bf63404ad51985b00ed304690ba9d477860a5a75.

Affected Version(s)

skim < bf63404ad51985b00ed304690ba9d477860a5a75

References

https://github.com/skim-rs/skim/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/skim-rs/skim/commit/bf63404ad51985b00e...

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41414 Data

JSON