External risk intelligence

Duck Site Deploy Workflow Bypass.

CVE advisorySeverity: CRITICAL (CVSS 9.5)

CVE-2026-47174

A critical vulnerability exists in Duck Site's deployment workflow that could allow an attacker to deploy unmerged code directly to production. This occurs if a pull request meets conditions that trigger the deploy workflow, which runs with elevated permissions. The primary concern is confirming the relevance and expos

1Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-47174

This vulnerability exists within a CI/CD build and deployment workflow configuration. Such processes are internal development and infrastructure pipeline activities that do not involve public-internet-facing endpoints or services.

PCI scan relevance

PCI Relevance for CVE-2026-47174

Yes

CVE-2026-47174 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability could allow an attacker to deploy malicious code to a production site, which is a type of remote code execution that typically results in a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a deployment workflow in the Duck Site technology that could allow unauthorized code to be deployed to production. If an attacker can manipulate the build process, their code could bypass standard review and directly become the live production site. The primary concern is confirming if this specific internal process is relevant to your environment and if it is exposed.

  • Code can deploy to production without review.
  • Understand if internal deployment processes are vulnerable.
  • Verify relevance and exposure to internal systems.

Attack Path

How an attacker could exploit the issue

An attacker could compromise the production site by submitting a pull request that meets the conditions for triggering the deploy workflow. This workflow, which runs with elevated permissions, would then deploy the attacker's code directly to production without merging it into the main branch. This process bypasses standard code review and deployment gates, allowing malicious code to become the live site.

  • An attacker submits a special pull request.
  • The pull request triggers a deploy workflow.
  • Attacker code is deployed to production.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker-controlled pull request to deploy malicious code directly to the production site without being merged into the main codebase, bypassing typical review processes. This is possible when the build workflow on a pull request satisfies conditions that trigger the deploy workflow, which has elevated permissions.

  • Deployed production site code.
  • Pull request can trigger deploy workflow.
  • Production site compromised with malicious code.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Duck Site's deploy workflow impacts organizations using the affected version. The risk lies in an attacker potentially deploying unmerged code to production through a crafted pull request. Owners of the application and the CI/CD platform should collaborate to address this. The immediate first step is to identify all instances of the affected technology, confirm their exposure and business criticality, and then plan remediation.

  • Application and CI/CD platform owners.
  • Verify production deployment reachability.
  • Coordinate vendor patch or workaround.

Frequently asked questions

What is Duck Site and its role in development?

Duck Site is a software repository that includes automated CI/CD workflows for building and deploying code. It is designed to streamline the software delivery process by automatically moving code from a build stage to a production deployment environment using specialized permissions and secrets.

What does CWE-829 mean for CVE-2026-47174?

CWE-829, or Inclusion of Functionality from Untrusted Control Sphere, describes a situation where an application relies on code or configurations from an untrusted source. In this CVE, the workflow is tricked into treating unverified, attacker-controlled code from a pull request as if it were legitimate, authorized code ready for production deployment.

How can an attacker trigger this workflow vulnerability?

An attacker must submit a pull request that is specifically crafted to satisfy the conditions normally reserved for the main branch. Once the build workflow completes, the vulnerable deploy workflow incorrectly identifies the attacker's commit as valid, builds it into a production image, and pushes it to the live site. Standard pull requests that do not meet these specific deployment branch conditions will not trigger the bug.

Is this CVE a risk to my public-facing website?

According to Halo Surface Signal, this vulnerability is very unlikely to be reachable from the public internet. Because the flaw exists within internal CI/CD pipeline activities rather than public-facing endpoints, it primarily impacts internal development infrastructure.

What should I do if I use Duck Site?

The most effective response is to update your Duck Site installation to version 1.0.1 or later. You should also audit your current CI/CD configurations to ensure that deployment workflows are strictly isolated from untrusted pull request environments and require manual approval before reaching production.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished