An unauthenticated arbitrary code execution vulnerability in the Postiz CI/CD workflow allows attackers to exfiltrate highly privileged tokens.

The Docker build workflow fails to safely handle external inputs, allowing an unauthenticated attacker to inject malicious code during the build process and exfiltrate the GITHUB_TOKEN.

The ability to steal write-access tokens grants attackers control over the repository and potentially the entire software supply chain. Given the CVSS score of 10, this is a critical threat that could lead to widespread unauthorized code commits and severe reputational damage.

Immediate Action: Update the affected workflow files to the version provided in commit da44801 or later.

Proactive Monitoring: Audit recent pull requests and review repository audit logs for any unauthorized access or unusual CI/CD pipeline behavior.

Compensating Controls: Implement stricter branch protection rules and limit the permissions of the GITHUB_TOKEN used in automated workflows.

Public Exploit Available: No

This is an extremely severe supply chain vulnerability. Security teams must ensure all CI/CD pipelines are patched and that access tokens are rotated if there is any suspicion of compromise.