CVE-2026-54344 in ToolJetinfo

Summary

by MITRE • 07/08/2026

ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a deploy command to execute shell commands on the CI runner and exfiltrate deployment secrets. This issue is reported as fixed in version 3.20.180.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability affects ToolJet's continuous integration workflow where the platform processes GitHub pull request comments to trigger deployment previews. The flaw exists in how the system handles user input from github.event.comment.body without proper sanitization or validation before incorporating it into shell command execution contexts. When a user comments on an open pull request with a deploy command, the platform constructs bash conditional statements that directly include this comment content, creating a classic command injection vulnerability.

The technical implementation involves the interpolation of untrusted input into shell commands within CI/CD pipelines, which represents a critical security flaw that maps to CWE-78 and CWE-94 in the Common Weakness Enumeration catalog. This allows attackers to execute arbitrary shell commands on the CI runner with the privileges of the pipeline execution environment, effectively providing them with access to deployment secrets and other sensitive information stored within the build environment.

The operational impact is severe as any GitHub user with commenting privileges on open pull requests can leverage this vulnerability to gain unauthorized access to sensitive deployment credentials, configuration files, and potentially compromise the entire software supply chain. The attack vector specifically targets CI/CD environments where the principle of least privilege is often not properly enforced, allowing lateral movement and information exfiltration from the development infrastructure. This vulnerability directly aligns with ATT&CK technique T1059.004 for executing shell commands and T1531 for credential access through compromised accounts.

The fix implemented in version 3.20.180 likely involves proper input validation and sanitization of the github.event.comment.body content before it is processed by the CI workflow. This remediation should include parameterized command execution, input whitelisting, or comprehensive escaping of special shell characters to prevent unintended command interpretation. Organizations using ToolJet should ensure immediate upgrade to version 3.20.180 or later and review their CI/CD pipeline configurations for similar injection vulnerabilities in other components. The vulnerability demonstrates the critical importance of validating all user inputs within automated workflows and implementing proper security controls at the integration points between development platforms and deployment systems.

This issue highlights the broader challenge of securing CI/CD environments where automation often bypasses traditional security controls, making it essential to apply the same rigorous input validation principles to build scripts as would be applied to web applications. The vulnerability serves as a reminder that even seemingly benign features like comment-based deployment triggers can become attack vectors when proper security controls are not implemented in automated systems.

Responsible

GitHub M

Reservation

06/12/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!