CVE-2026-24844: melange pipeline working-directory could allow command injection

February 3, 2026 (updated February 4, 2026)

An attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping.

References

github.com/advisories/GHSA-vqqr-rmpc-hhg2
github.com/chainguard-dev/melange
github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8
github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2
nvd.nist.gov/vuln/detail/CVE-2026-24844

Code Behaviors & Features

Detect and mitigate CVE-2026-24844 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →