[I] CVE Consideration Request – GitHub Actions Workflow RCE Vulnerability in Apache Beam [beam]

Thu, 11 Jun 2026 10:45:56 -0700 


rishiarora123 opened a new issue, #38926:
URL: https://github.com/apache/beam/issues/38926

   ### What happened?
   
   ## Background
   
   This issue is related to HackerOne Report #3763942, titled:
   
   **GitHub Actions CI/CD Injection Leads To RCE — anthropics/beam**
   
   The report was submitted to Anthropic on May 27, 2026 and was subsequently 
resolved through their vulnerability disclosure process.
   
   According to Anthropic's response:
   
   > "CVE assignment for the underlying workflow pattern in the upstream 
project would be the Apache Beam project's decision, made through their own 
security and advisory process."
   
   As a result, we are requesting a review of the upstream Apache Beam 
implementation to determine whether the affected workflow pattern existed in 
Apache Beam and whether it qualifies for a security advisory and/or CVE 
assignment.
   
   ### Researchers
   
   * Rishi Arora
     LinkedIn: linkedin.com/in/rishiharyana
   
   * Subham Chatterjee
     LinkedIn: https://www.linkedin.com/in/subhchatterjee/
   
   Please let us know if any additional information, proof-of-concept details, 
workflow references, commit history, remediation details, or supporting 
documentation are required.
   
   
   <img width="789" height="588" alt="Image" 
src="https://github.com/user-attachments/assets/d5ce19d8-998e-4b61-abcf-ec4bbf5b4705";
 />
   <img width="255" height="570" alt="Image" 
src="https://github.com/user-attachments/assets/df492465-e61b-4642-8222-d8123adb390b";
 />
   
   ### Issue Priority
   
   Priority: 1 (data loss / total loss of function)
   
   ### Issue Components
   
   - [ ] Component: Python SDK
   - [ ] Component: Java SDK
   - [ ] Component: Go SDK
   - [ ] Component: Typescript SDK
   - [ ] Component: IO connector
   - [x] Component: Beam YAML
   - [ ] Component: Beam examples
   - [ ] Component: Beam playground
   - [ ] Component: Beam katas
   - [ ] Component: Website
   - [x] Component: Infrastructure
   - [ ] Component: Spark Runner
   - [ ] Component: Flink Runner
   - [ ] Component: Prism Runner
   - [ ] Component: Twister2 Runner
   - [ ] Component: Hazelcast Jet Runner
   - [ ] Component: Google Cloud Dataflow Runner


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to