The Wire ยท Showcase
FASTAPI AND SQLMODEL PATCH CRITICAL GITHUB ACTIONS FLAW ACROSS THE STACK
By RepoJournal ยท Filed ยท About FastAPI & Pydantic
Both FastAPI and SQLModel just closed a privilege escalation hole in their CI/CD pipelines where fork pull requests could execute untrusted code in trusted contexts.
The vulnerability sits in GitHub Actions checkout configurations [1] [2] [3]. When `actions/checkout@v7` runs in `pull_request_target` contexts, it was pulling fork code instead of the base repository's trusted code, creating a window for attackers to inject malicious workflows. FastAPI fixed this across two critical workflows , and SQLModel deployed the same fix . This matters because `pull_request_target` is the exact context where you run sensitive operations like release automation and notification systems. Meanwhile, Pydantic is shipping a performance win: caching the `ModelPrivateAttr.default_factory_takes_validated_data` property [4] [6] to eliminate redundant checks during model initialization. The team also clarified YAML example documentation [5] [7] to mention PyYAML as an explicit dependency rather than burying it in prose.
Action items
- โ Review your GitHub Actions workflows for pull_request_target checkout configurations - patch immediately if found fastapi/fastapi [immediate]
- โ Upgrade Pydantic if you're doing heavy private attribute factory validation pydantic/pydantic [plan]
- โ Audit SQLModel CI/CD if you maintain a fork with custom workflows tiangolo/sqlmodel [plan]
References
- [1] ๐ท Fix notify translations checkout target โ fastapi/fastapi
- [2] ๐ท Fix latest-changes checkout target โ fastapi/fastapi
- [3] ๐ท Fix latest-changes checkout target โ tiangolo/sqlmodel
- [4] Cache `ModelPrivateAttr.default_factory_takes_validated_data` property โ pydantic/pydantic
- [5] Mention PyYAML installation for YAML example โ pydantic/pydantic
- [6] Cache `ModelPrivateAttr.default_factory_takes_validated_data` property (#13390) pydantic/pydantic
- [7] Mention PyYAML installation for YAML example (#13400) pydantic/pydantic
FAQ
- What changed in FastAPI & Pydantic on July 5, 2026?
- Both FastAPI and SQLModel just closed a privilege escalation hole in their CI/CD pipelines where fork pull requests could execute untrusted code in trusted contexts.
- What should FastAPI & Pydantic teams do about it?
- Review your GitHub Actions workflows for pull_request_target checkout configurations - patch immediately if found โข Upgrade Pydantic if you're doing heavy private attribute factory validation โข Audit SQLModel CI/CD if you maintain a fork with custom workflows
- Which FastAPI & Pydantic repositories shipped on July 5, 2026?
- fastapi/fastapi, tiangolo/sqlmodel, pydantic/pydantic