Skip to content

Child processes spawned by Renovate incorrectly have full access to environment variables

Moderate severity GitHub Reviewed Published Feb 13, 2026 in renovatebot/renovate • Updated Feb 13, 2026

Package

npm renovate (npm)

Affected versions

>= 42.68.1, < 42.96.3
>= 43.0.0, < 43.4.4

Patched versions

42.96.3
43.4.4

Description

When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to.

Since 42.68.1 (2025-12-30), this filtering had been inadvertently removed, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to.

This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.

It is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.

Impact

Child processes spawned by Renovate (i.e. npm install, anything defined in postUpgradeTasks or postUpdateOptions) will have full access to the environment variables that the Renovate process has.

This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.

Patches

This is patched in 42.96.3 and 43.4.4.

Workarounds

There are no workarounds, other than upgrading your Renovate version.

Why did this happen?

As part of work towards GHSA-pfq2-hh62-7m96, one of the preparatory changes we made was moving to execa.

One of the default behaviours of execa is to extend the process' environment variables with any new ones, rather than override them.

This was missed in code review, which meant that since this version, the full environment variables have been provided to any child processes spawned with execa by Renovate.

This was discovered as part of an unrelated change.

References

@jamietanna jamietanna published to renovatebot/renovate Feb 13, 2026
Published to the GitHub Advisory Database Feb 13, 2026
Reviewed Feb 13, 2026
Last updated Feb 13, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-8wc6-vgrq-x6cf

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.