A critical configuration flaw in CloudPirates Helm Charts exposes sensitive repository credentials to unauthorized actors via GitHub Actions.

The pull-request.yaml GitHub Actions workflow runs code from untrusted forks in a privileged context, exposing Docker Hub credentials and other repository secrets without requiring approval.

Exposure of credentials allows attackers to access private container registries and potentially inject malicious code into the software supply chain. With a CVSS score of 10.0, this vulnerability presents a catastrophic risk to the security of the build pipeline and downstream software users.

Immediate Action: Update to commit fcf9302 or later to secure the GitHub Actions workflow and isolate untrusted code execution.

Proactive Monitoring: Audit repository secret usage logs and verify if any credentials have been accessed or used by unauthorized parties.

Compensating Controls: Rotate all secrets (Docker Hub credentials, tokens) that were exposed or potentially accessible during the vulnerable period.

Public Exploit Available: Unknown

This vulnerability represents a significant supply chain risk. Organizations using these Helm charts must update to the patched version and treat all previously stored secrets as compromised, necessitating a mandatory rotation of all affected credentials.