DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-31976: CVE-2026-31976: Supply Chain Compromise via Tag Poisoning in xygeni-action

#security #cve #cybersecurity

CVE-2026-31976: Supply Chain Compromise via Tag Poisoning in xygeni-action

Vulnerability ID: CVE-2026-31976
CVSS Score: 9.3
Published: 2026-03-11

CVE-2026-31976 is a critical supply chain vulnerability in the xygeni-action GitHub Action. An attacker compromised credentials to execute a tag poisoning attack, pointing the mutable @v5 tag to a malicious commit containing a Command and Control (C2) implant. This resulted in arbitrary command execution on CI runners for any workflow using the affected tag between March 3 and March 10, 2026.

TL;DR

Tag poisoning in xygeni-action @v5 led to a C2 implant executing arbitrary commands on CI runners.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-506
  • Attack Vector: Network
  • CVSS Score: 9.3
  • Impact: Remote Code Execution
  • Exploit Status: Active
  • KEV Status: Not Listed

Affected Systems

  • GitHub Actions runners executing xygeni/xygeni-action@v5 between March 3 and March 10, 2026
  • CI/CD pipelines relying on mutable @v5 tag
  • xygeni-action: @v5 (March 3 - March 10, 2026) (Fixed in: @v6)

Code Analysis

Commit: 4bf1d4e

Malicious commit containing C2 implant

Commit: 13c6ed2

Remediation commit updating README to recommend SHA pinning

Exploit Details

  • GitHub: Malicious commit residing in the Git object store.

Mitigation Strategies

  • Pin GitHub Actions to immutable commit SHAs instead of mutable tags.
  • Implement OpenID Connect (OIDC) to eliminate long-lived CI/CD secrets.
  • Enforce network egress filtering on self-hosted CI runners to block unauthorized external connections.

Remediation Steps:

  1. Identify all workflows referencing xygeni/xygeni-action@v5.
  2. Update workflows to use the verified @v6 tag or pin to commit 13c6ed2797df7d85749864e2cbcf09c893f43b23.
  3. Audit historical workflow runs between March 3 and March 10, 2026.
  4. Rotate all secrets accessible to runners that executed the compromised workflow.
  5. Review CI runner network logs for outbound connections to 91.214.78.178.nip.io.

References

Read the full report for CVE-2026-31976 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)