Sherlock leaks CI tokens via command inj (CVE-2026-44590) [PoC]

Exploitation confirmed - public proof-of-concept - CVE-2026-44590 is a critical command injection vulnerability in Sherlock prior to 0.16.1 that lets any GitHub user steal the CI runner’s GITHUB_TOKEN and execute arbitrary commands. Patched in version 0.16.1 - update immediately.

Overview

CVE-2026-44590 affects the Sherlock social media username search tool. The GitHub Actions workflow validate_modified_targets.yml uses the pull_request_target trigger, which runs in the context of the target repository rather than the forked PR branch. This trigger combined with insufficient input sanitization allows any GitHub user to inject arbitrary commands into the CI runner by opening a pull request, without requiring approval, review, or merge.

Impact

The impact is severe:

• Remote code execution on the GitHub Actions CI runner
• Theft of the GITHUB_TOKEN with repository write access
• Potential for unauthorized code pushes to the repository using stolen tokens
• This follows a known attack pattern seen in the GlassWorm Attack Uses Stolen GitHub Tokens to force-push malware into Python repositories

Affected Versions

All Sherlock versions prior to 0.16.1 (including 0.16.0) are affected.

Remediation

1. Immediate: Upgrade Sherlock to version 0.16.1 or later.
2. Alternative: Disable the affected GitHub Actions workflow validate_modified_targets.yml until the update can be applied.
3. Post-remediation: Rotate any exposed GITHUB_TOKEN secrets and audit repository access logs for unauthorized activity.

Mitigation Notes

If immediate upgrade is not possible, consider restricting workflow triggers. However, no workaround fully addresses the command injection vector other than upgrading.

Security Insight

This vulnerability illustrates a broader security pattern in open-source CI/CD pipelines: the pull_request_target trigger remains a common source of critical vulnerabilities because it grants workflows access to repository secrets while executing untrusted code from forks. Similar attacks, such as the GlassWorm campaign that weaponized stolen CI tokens, show that these token-stealing vulnerabilities are a primary vector for supply chain compromise. Project maintainers should audit all workflows using pull_request_target and consider migrating to pull_request with manual approval or using environment-level protections.

Further Reading

• GlassWorm Attack Uses Stolen GitHub Tokens to
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs