CVE-2026-46699 | conda-smithy is a tool for combining a conda recipe with con… | CVSS 7.6 HIGH

Description

conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.61.0, a vulnerability in the conda-forge automated webservices allowed unintended write access to feedstock repositories through GitHub username takeover. The root cause is the use of mutable GitHub usernames as identifiers for repository invitation routing, rather than stable, immutable GitHub user IDs. Version 3.61.0 fixes the issue.

Metadata

CVE ID: CVE-2026-46699
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-15 23:26 UTC
Published: 2026-06-18 20:47 UTC
Last updated: 2026-06-18 20:47 UTC
Primary CWE: CWE-284
CWE-284: Improper Access Control
Vendor / Product: conda-forge / conda-smithy
Sources: cve.org · NVD

Severity & Metrics

7.6 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Affected products (1)

Vendor	Product	Platform	Versions
conda-forge	conda-smithy	—	< 3.61.0

Weakness (CWE)

CWE	Source	Description
CWE-284	cna	CWE-284: Improper Access Control

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.6	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

References (2)

https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-g95q-3cmj-fvh8 https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-g95q-3cmj-fvh8
https://github.com/conda-forge/conda-smithy/commit/3b0bcd92ebd6f41edd341401d84583a20911c587 https://github.com/conda-forge/conda-smithy/commit/3b0bcd92ebd6f41edd341401d84583a20911c587