CVE-2026-54344 PUBLISHED

ToolJet GitHub Actions comment body shell injection exposes deployment secrets

Assigner: GitHub_M
Reserved: 12.06.2026 Published: 08.07.2026 Updated: 08.07.2026

ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a deploy command to execute shell commands on the CI runner and exfiltrate deployment secrets. This issue is reported as fixed in version 3.20.180.

Metrics

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CVSS Score: 4.7

Product Status

Vendor ToolJet
Product ToolJet
Versions
  • Version < 3.20.180 is affected

References

Problem Types

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE