CVE-2026-46699
HIGHconda-smithy < 3.61.0 - GitHub Username Takeover Feedstock Write Access
Title source: manualDescription
conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.61.0, a vulnerability in the conda-forge automated webservices allowed unintended write access to feedstock repositories through GitHub username takeover. The root cause is the use of mutable GitHub usernames as identifiers for repository invitation routing, rather than stable, immutable GitHub user IDs. Version 3.61.0 fixes the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-g95q-3cmj-fvh8
X_Refsource_Misc x_refsource_misc
https://github.com/conda-forge/conda-smithy/commit/3b0bcd92ebd6f41edd341401d84583a20911c587
Scores
CVSS v3
7.6
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Details
CWE
CWE-284
Status
published
Products (1)
conda-forge/conda-smithy
< 3.61.0
Published
Jun 18, 2026
Tracked Since
Jun 19, 2026