Security Advisory - Published 2026-06-12 - Developer Tooling
Developer tooling CVE batch: workflows, clusters, data transfers, and editors
These issues do not all affect public websites. They affect the systems that build, deploy, analyze, or process code and data. The risk is often indirect: a pull request workflow, an imported image, an uploaded spreadsheet, a Grafana dashboard resource, an Airflow transfer, a cluster user, or a developer opening a file.
Group by operational owner
| Owner | CVEs | What to check |
|---|---|---|
| CI/CD | CVE-2026-47172, 47174, 48546 | Privileged GitHub Actions jobs, PR build promotion, package write tokens, runner secrets. |
| Container / sandbox | CVE-2026-46703 | Boxlite version, OCI image sources, sandbox host file changes. |
| Kubernetes / MCP / Operator | CVE-2026-53474, 46519, 32193, 11769 | Spreadsheet imports, service account tokens, MCP tool-call enforcement, AKS update state, Grafana Operator version, and dashboard/library panel permissions. |
| Data pipeline | CVE-2026-49818 | Airflow Samba provider version, GCS-to-SMB DAGs, destination path containment, SMB write logs. |
| MCP / database | CVE-2026-11529 | mysql-mcp-server version, database user scope, MCP client exposure, suspicious query history. |
| ML and image tooling | CVE-2026-11816, 2049 | Keras archive extraction, GIMP/GEGL image-processing workstations. |
| Developer editor | CVE-2026-52860 | Vim version in developer images and untrusted file workflows. |
| Peer networking | CVE-2026-46679 | js-libp2p gossipsub version and public peer memory alerts. |
Checks to run
gh workflow list
grep -R "workflow_run\\|pull_request_target\\|packages: write" .github/workflows -n
kubectl get sa,rolebinding,clusterrolebinding -A | grep -Ei "mcp|migration|planner"
kubectl get deploy,pod -A | grep -Ei "grafana-operator|grafana operator"
kubectl get grafanadashboards,grafanalibrarypanels -A -o name 2>/dev/null
az aks show --resource-group RESOURCE_GROUP --name CLUSTER_NAME --output table
python -m pip show apache-airflow-providers-samba mysql-mcp-server 2>/dev/null
grep -R "GCSToSambaOperator\\|mysql_mcp_server\\|mcp-server-kubernetes" dags .github docker-compose.yml pyproject.toml requirements*.txt -n 2>/dev/null
python -c "import keras; print(keras.__version__)" 2>/dev/null
vim --version | head -2 For workflows, review whether untrusted pull-request code can influence a later privileged deployment job. For imports, treat spreadsheets, archives, OCI images, model files, and uploaded images as untrusted even when they arrive from a normal user account.
Post-patch cleanup
- Rotate GitHub Actions tokens if a vulnerable workflow had package-write or deploy secrets.
- Check recent container images and deployment digests before trusting "latest" tags.
- Review Kubernetes service account token access around migration-planner imports.
- For AKS, review recent low-privilege users, service principals, node pool activity, and cluster extension changes.
- For Grafana Operator, upgrade to 5.24.0 or newer. If patching is delayed, block new jsonnet-based dashboard and library panel resources until the operator is updated.
- For Airflow, upgrade apache-airflow-providers-samba to 4.12.6 or newer and review SMB destination writes from recent DAG runs.
- For mysql-mcp-server, upgrade to 0.3.0, limit the database account, and review MCP client access logs.
- Patch developer workstation images and CI containers that include Vim, Keras, GIMP, or GEGL.
- Move untrusted archive and image processing into isolated workers with strict time and memory limits.
Ping7 repair path
Ping7 can review workflows, token scope, Kubernetes permissions, container image history, and suspicious build/deploy activity. Use CVE Repair when a build system, cluster, or sandbox host touches production credentials.
References
- Boxlite advisory GHSA-f396-4rp4-7v2j
- mcp-server-kubernetes advisory GHSA-cr22-wjx7-2w6m
- Red Hat CVE-2026-53474
- NVD CVE-2026-32193
- NVD CVE-2026-11769
- Grafana Operator CVE-2026-11769 advisory
- NVD CVE-2026-49818
- Apache Airflow Samba provider fix
- NVD CVE-2026-11529
- mysql-mcp-server 0.3.0 release
- Vim advisory GHSA-65p9-mwwx-7468
- js-libp2p advisory GHSA-4f8r-922h-2vgv