CVE-2026-27938

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58
https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x

Configurations

No configuration.

History

No history.

Information

Published : 2026-02-26 02:16

Updated : 2026-02-27 14:06

NVD link : CVE-2026-27938

Mitre link : CVE-2026-27938

CVE.ORG link : CVE-2026-27938

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-27938", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.3}]}, "published": "2026-02-26T02:16:21.960", "references": [{"url": "https://github.com/wp-graphql/wp-graphql/commit/de0c2d590593f1099546ad517106e454a498bc58", "source": "security-advisories@github.com"}, {"url": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-4q9f-mjxf-rx7x", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability."}, {"lang": "es", "value": "WPGraphQL proporciona una API GraphQL para sitios de WordPress. Antes de la versi\u00f3n 2.9.1, el repositorio 'wp-graphql/wp-graphql' contiene un flujo de trabajo de GitHub Actions ('release.yml') vulnerable a la inyecci\u00f3n de comandos del sistema operativo mediante el uso directo de '${{ github.event.pull_request.body }}' dentro de un bloque de shell 'run:'. Cuando se fusiona una solicitud de extracci\u00f3n de 'develop' a 'master', el cuerpo de la PR se inyecta textualmente en un comando de shell, lo que permite la ejecuci\u00f3n arbitraria de comandos en el ejecutor de Actions. La versi\u00f3n 2.9.1 contiene una soluci\u00f3n para la vulnerabilidad."}], "lastModified": "2026-02-27T14:06:59.787", "sourceIdentifier": "security-advisories@github.com"}