Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases.
References
| Link | Resource |
|---|---|
| https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 | Patch |
| https://github.com/eigent-ai/eigent/pull/836 | Issue Tracking Exploit Third Party Advisory |
| https://github.com/eigent-ai/eigent/pull/837 | Issue Tracking Exploit Patch |
| https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp | Exploit Third Party Advisory |
Configurations
History
29 Jan 2026, 17:52
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:eigent:eigent:*:*:*:*:*:*:*:* | |
| First Time |
Eigent
Eigent eigent |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| References | () https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 - Patch | |
| References | () https://github.com/eigent-ai/eigent/pull/836 - Issue Tracking, Exploit, Third Party Advisory | |
| References | () https://github.com/eigent-ai/eigent/pull/837 - Issue Tracking, Exploit, Patch | |
| References | () https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp - Exploit, Third Party Advisory |
13 Jan 2026, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-13 21:15
Updated : 2026-01-29 17:52
NVD link : CVE-2026-22869
Mitre link : CVE-2026-22869
CVE.ORG link : CVE-2026-22869
JSON object : View
Products Affected
eigent
- eigent
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')