ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a deploy command to execute shell commands on the CI runner and exfiltrate deployment secrets. This issue is reported as fixed in version 3.20.180.
History

Wed, 08 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a deploy command to execute shell commands on the CI runner and exfiltrate deployment secrets. This issue is reported as fixed in version 3.20.180.
Title ToolJet GitHub Actions comment body shell injection exposes deployment secrets
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T16:19:26.299Z

Reserved: 2026-06-12T19:23:22.317Z

Link: CVE-2026-54344

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.